mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-11-24 15:01:13 +07:00
0fdfef9aa7
We really, really want to be encouraging use of secure dialects, and SMB3.1.1 offers useful security features, and will soon be the recommended dialect for many use cases. Simplify the code by removing the CONFIG_CIFS_SMB311 ifdef so users don't disable it in the build, and create compatibility and/or security issues with modern servers - many of which have been supporting this dialect for multiple years. Also clarify some of the Kconfig text for cifs.ko about SMB3.1.1 and current supported features in the module. Signed-off-by: Steve French <stfrench@microsoft.com> Acked-by: Aurelien Aptel <aaptel@suse.com> Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
224 lines
9.0 KiB
Plaintext
224 lines
9.0 KiB
Plaintext
config CIFS
|
|
tristate "SMB3 and CIFS support (advanced network filesystem)"
|
|
depends on INET
|
|
select NLS
|
|
select CRYPTO
|
|
select CRYPTO_MD4
|
|
select CRYPTO_MD5
|
|
select CRYPTO_SHA256
|
|
select CRYPTO_CMAC
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_ARC4
|
|
select CRYPTO_AEAD2
|
|
select CRYPTO_CCM
|
|
select CRYPTO_ECB
|
|
select CRYPTO_AES
|
|
select CRYPTO_DES
|
|
help
|
|
This is the client VFS module for the SMB3 family of NAS protocols,
|
|
(including support for the most recent, most secure dialect SMB3.1.1)
|
|
as well as for earlier dialects such as SMB2.1, SMB2 and the older
|
|
Common Internet File System (CIFS) protocol. CIFS was the successor
|
|
to the original dialect, the Server Message Block (SMB) protocol, the
|
|
native file sharing mechanism for most early PC operating systems.
|
|
|
|
The SMB3 protocol is supported by most modern operating systems
|
|
and NAS appliances (e.g. Samba, Windows 10, Windows Server 2016,
|
|
MacOS) and even in the cloud (e.g. Microsoft Azure).
|
|
The older CIFS protocol was included in Windows NT4, 2000 and XP (and
|
|
later) as well by Samba (which provides excellent CIFS and SMB3
|
|
server support for Linux and many other operating systems). Use of
|
|
dialects older than SMB2.1 is often discouraged on public networks.
|
|
This module also provides limited support for OS/2 and Windows ME
|
|
and similar very old servers.
|
|
|
|
This module provides an advanced network file system client
|
|
for mounting to SMB3 (and CIFS) compliant servers. It includes
|
|
support for DFS (hierarchical name space), secure per-user
|
|
session establishment via Kerberos or NTLM or NTLMv2, RDMA
|
|
(smbdirect), advanced security features, per-share encryption,
|
|
directory leases, safe distributed caching (oplock), optional packet
|
|
signing, Unicode and other internationalization improvements.
|
|
|
|
In general, the default dialects, SMB3 and later, enable better
|
|
performance, security and features, than would be possible with CIFS.
|
|
Note that when mounting to Samba, due to the CIFS POSIX extensions,
|
|
CIFS mounts can provide slightly better POSIX compatibility
|
|
than SMB3 mounts. SMB2/SMB3 mount options are also
|
|
slightly simpler (compared to CIFS) due to protocol improvements.
|
|
|
|
If you need to mount to Samba, Azure, Macs or Windows from this machine, say Y.
|
|
|
|
config CIFS_STATS
|
|
bool "CIFS statistics"
|
|
depends on CIFS
|
|
help
|
|
Enabling this option will cause statistics for each server share
|
|
mounted by the cifs client to be displayed in /proc/fs/cifs/Stats
|
|
|
|
config CIFS_STATS2
|
|
bool "Extended statistics"
|
|
depends on CIFS_STATS
|
|
help
|
|
Enabling this option will allow more detailed statistics on SMB
|
|
request timing to be displayed in /proc/fs/cifs/DebugData and also
|
|
allow optional logging of slow responses to dmesg (depending on the
|
|
value of /proc/fs/cifs/cifsFYI, see fs/cifs/README for more details).
|
|
These additional statistics may have a minor effect on performance
|
|
and memory utilization.
|
|
|
|
Unless you are a developer or are doing network performance analysis
|
|
or tuning, say N.
|
|
|
|
config CIFS_ALLOW_INSECURE_LEGACY
|
|
bool "Support legacy servers which use less secure dialects"
|
|
depends on CIFS
|
|
default y
|
|
help
|
|
Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
|
|
additional security features, including protection against
|
|
man-in-the-middle attacks and stronger crypto hashes, so the use
|
|
of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.
|
|
|
|
Disabling this option prevents users from using vers=1.0 or vers=2.0
|
|
on mounts with cifs.ko
|
|
|
|
If unsure, say Y.
|
|
|
|
config CIFS_WEAK_PW_HASH
|
|
bool "Support legacy servers which use weaker LANMAN security"
|
|
depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY
|
|
help
|
|
Modern CIFS servers including Samba and most Windows versions
|
|
(since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
|
|
security mechanisms. These hash the password more securely
|
|
than the mechanisms used in the older LANMAN version of the
|
|
SMB protocol but LANMAN based authentication is needed to
|
|
establish sessions with some old SMB servers.
|
|
|
|
Enabling this option allows the cifs module to mount to older
|
|
LANMAN based servers such as OS/2 and Windows 95, but such
|
|
mounts may be less secure than mounts using NTLM or more recent
|
|
security mechanisms if you are on a public network. Unless you
|
|
have a need to access old SMB servers (and are on a private
|
|
network) you probably want to say N. Even if this support
|
|
is enabled in the kernel build, LANMAN authentication will not be
|
|
used automatically. At runtime LANMAN mounts are disabled but
|
|
can be set to required (or optional) either in
|
|
/proc/fs/cifs (see fs/cifs/README for more detail) or via an
|
|
option on the mount command. This support is disabled by
|
|
default in order to reduce the possibility of a downgrade
|
|
attack.
|
|
|
|
If unsure, say N.
|
|
|
|
config CIFS_UPCALL
|
|
bool "Kerberos/SPNEGO advanced session setup"
|
|
depends on CIFS && KEYS
|
|
select DNS_RESOLVER
|
|
help
|
|
Enables an upcall mechanism for CIFS which accesses userspace helper
|
|
utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets
|
|
which are needed to mount to certain secure servers (for which more
|
|
secure Kerberos authentication is required). If unsure, say Y.
|
|
|
|
config CIFS_XATTR
|
|
bool "CIFS extended attributes"
|
|
depends on CIFS
|
|
help
|
|
Extended attributes are name:value pairs associated with inodes by
|
|
the kernel or by users (see the attr(5) manual page for details).
|
|
CIFS maps the name of extended attributes beginning with the user
|
|
namespace prefix to SMB/CIFS EAs. EAs are stored on Windows
|
|
servers without the user namespace prefix, but their names are
|
|
seen by Linux cifs clients prefaced by the user namespace prefix.
|
|
The system namespace (used by some filesystems to store ACLs) is
|
|
not supported at this time.
|
|
|
|
If unsure, say Y.
|
|
|
|
config CIFS_POSIX
|
|
bool "CIFS POSIX Extensions"
|
|
depends on CIFS_XATTR
|
|
help
|
|
Enabling this option will cause the cifs client to attempt to
|
|
negotiate a newer dialect with servers, such as Samba 3.0.5
|
|
or later, that optionally can handle more POSIX like (rather
|
|
than Windows like) file behavior. It also enables
|
|
support for POSIX ACLs (getfacl and setfacl) to servers
|
|
(such as Samba 3.10 and later) which can negotiate
|
|
CIFS POSIX ACL support. If unsure, say N.
|
|
|
|
config CIFS_ACL
|
|
bool "Provide CIFS ACL support"
|
|
depends on CIFS_XATTR && KEYS
|
|
help
|
|
Allows fetching CIFS/NTFS ACL from the server. The DACL blob
|
|
is handed over to the application/caller. See the man
|
|
page for getcifsacl for more information. If unsure, say Y.
|
|
|
|
config CIFS_DEBUG
|
|
bool "Enable CIFS debugging routines"
|
|
default y
|
|
depends on CIFS
|
|
help
|
|
Enabling this option adds helpful debugging messages to
|
|
the cifs code which increases the size of the cifs module.
|
|
If unsure, say Y.
|
|
config CIFS_DEBUG2
|
|
bool "Enable additional CIFS debugging routines"
|
|
depends on CIFS_DEBUG
|
|
help
|
|
Enabling this option adds a few more debugging routines
|
|
to the cifs code which slightly increases the size of
|
|
the cifs module and can cause additional logging of debug
|
|
messages in some error paths, slowing performance. This
|
|
option can be turned off unless you are debugging
|
|
cifs problems. If unsure, say N.
|
|
|
|
config CIFS_DEBUG_DUMP_KEYS
|
|
bool "Dump encryption keys for offline decryption (Unsafe)"
|
|
depends on CIFS_DEBUG
|
|
help
|
|
Enabling this will dump the encryption and decryption keys
|
|
used to communicate on an encrypted share connection on the
|
|
console. This allows Wireshark to decrypt and dissect
|
|
encrypted network captures. Enable this carefully.
|
|
If unsure, say N.
|
|
|
|
config CIFS_DFS_UPCALL
|
|
bool "DFS feature support"
|
|
depends on CIFS && KEYS
|
|
select DNS_RESOLVER
|
|
help
|
|
Distributed File System (DFS) support is used to access shares
|
|
transparently in an enterprise name space, even if the share
|
|
moves to a different server. This feature also enables
|
|
an upcall mechanism for CIFS which contacts userspace helper
|
|
utilities to provide server name resolution (host names to
|
|
IP addresses) which is needed for implicit mounts of DFS junction
|
|
points. If unsure, say Y.
|
|
|
|
config CIFS_NFSD_EXPORT
|
|
bool "Allow nfsd to export CIFS file system"
|
|
depends on CIFS && BROKEN
|
|
help
|
|
Allows NFS server to export a CIFS mounted share (nfsd over cifs)
|
|
|
|
config CIFS_SMB_DIRECT
|
|
bool "SMB Direct support (Experimental)"
|
|
depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y
|
|
help
|
|
Enables SMB Direct experimental support for SMB 3.0, 3.02 and 3.1.1.
|
|
SMB Direct allows transferring SMB packets over RDMA. If unsure,
|
|
say N.
|
|
|
|
config CIFS_FSCACHE
|
|
bool "Provide CIFS client caching support"
|
|
depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y
|
|
help
|
|
Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data
|
|
to be cached locally on disk through the general filesystem cache
|
|
manager. If unsure, say N.
|
|
|