| Message ID | 20180515090503.11182-1-aaptel@suse.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Both patches look fine - can add my reviewed by if desired Reviewed-by: Steve French <smfrench@gmail.com> On Tue, May 15, 2018 at 4:05 AM, Aurelien Aptel <aaptel@suse.com> wrote: > Signed-off-by: Aurelien Aptel <aaptel@suse.com> > --- > cifs.idmap.rst.in | 71 ++++++------------- > cifs.upcall.rst.in | 200 ++++++++++++++++++++--------------------------------- > cifscreds.rst | 92 ++++++++---------------- > getcifsacl.rst.in | 40 +++-------- > idmapwb.rst.in | 19 +++-- > mount.cifs.rst | 9 ++- > pam_cifscreds.rst | 61 +++++----------- > setcifsacl.rst.in | 143 ++++++++++---------------------------- > 8 files changed, 201 insertions(+), 434 deletions(-) > > diff --git a/cifs.idmap.rst.in b/cifs.idmap.rst.in > index 91b585e..60d7f0a 100644 > --- a/cifs.idmap.rst.in > +++ b/cifs.idmap.rst.in > @@ -11,124 +11,93 @@ Userspace helper for mapping ids for Common Internet File System (CIFS) > SYNOPSIS > ******** > > - > -cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid} > - > + cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid} > > *********** > DESCRIPTION > *********** > > - > This tool is part of the cifs-utils suite. > > -\ **cifs.idmap**\ is a userspace helper program for the linux CIFS client > +``cifs.idmap`` is a userspace helper program for the linux CIFS client > filesystem. There are a number of activities that the kernel cannot > easily do itself. This program is a callout program that does these > things for the kernel and then returns the result. > > -\ **cifs.idmap**\ is generally intended to be run when the kernel calls > +``cifs.idmap`` is generally intended to be run when the kernel calls > request-key(8) for a particular key type. While it can be run > directly from the command-line, it is not generally intended to be run > that way. > > -This program is only called if a share is mounted with the \ **cifsacl**\ > +This program is only called if a share is mounted with the ``cifsacl`` > mount option. The kernel will only upcall to do this conversion if > that mount option is specified. > > -\ **cifs.idmap**\ relies on a plugin to handle the ID mapping. If it can't > +``cifs.idmap`` relies on a plugin to handle the ID mapping. If it can't > find the plugin then it will not work properly. The plugin (or a > symlink to it) must be at @pluginpath@. > > -In the case where \ **cifs.idmap**\ or the plugin are unavailable, file > +In the case where ``cifs.idmap`` or the plugin are unavailable, file > objects in a mounted share are assigned uid and gid of the credentials > of the process that mounted the share. It is strongly recomemended to > use mount options of uid and gid to specify a default uid and gid to > map owner SIDs and group SIDs in this situation. > > - > ******* > OPTIONS > ******* > > +--help|-h > + Print the usage message and exit. > > +--timeout|-t > + Set the expiration timer, in seconds on the key. The default is 600 > + seconds (10 minutes). Setting this to 0 will cause the key to never > + expire. > > -\ **--help|-h**\ > - > - Print the usage message and exit. > - > - > - > -\ **--timeout|-t**\ > - > - Set the expiration timer, in seconds on the key. The default is 600 > - seconds (10 minutes). Setting this to 0 will cause the key to never > - expire. > - > - > - > -\ **--version|-v**\ > - > - Print version number and exit. > - > - > - > +--version|-v > + Print version number and exit. > > ************************ > CONFIGURATION FOR KEYCTL > ************************ > > - > -\ **cifs.idmap**\ is designed to be called from the kernel via the > +``cifs.idmap`` is designed to be called from the kernel via the > request-key callout program. This requires that request-key be told > -where and how to call this program. Currently \ **cifs.idmap**\ handles a > -key type of: > +where and how to call this program. Currently ``cifs.idmap`` handles a > +key type of:: > > + cifs.idmap > > -\ **cifs.idmap**\ > - > - This keytype is for mapping a SID to either an uid or a gid > - > - > +This keytype is for mapping a SID to either an uid or a gid. > > To make this program useful for CIFS, you will need to set up entry for it in > -request-key.conf(5). Here is an example of an entry for this key type: > - > - > -.. code-block:: perl > +request-key.conf(5). Here is an example of an entry for this key type:: > > #OPERATION TYPE D C PROGRAM ARG1 ARG2... > #========= ============= = = ================================ > create cifs.idmap * * @sbindir@/cifs.idmap %k > > - > See request-key.conf(5) for more info on each field. > > - > ***** > NOTES > ***** > > - > Support for upcalls to cifs.idmap was initially introduced in the 3.0 > kernel. > > - > ******** > SEE ALSO > ******** > > - > request-key.conf(5), mount.cifs(8) > > - > ****** > AUTHOR > ****** > > - > Shirish Pargaonkar wrote the cifs.idmap program. > > The Linux CIFS Mailing list is the preferred place to ask questions > regarding these programs. > - > diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in > index 8f4ee62..1b8df3f 100644 > --- a/cifs.upcall.rst.in > +++ b/cifs.upcall.rst.in > @@ -7,178 +7,131 @@ Userspace upcall helper for Common Internet File System (CIFS) > -------------------------------------------------------------- > :Manual section: 8 > > - > ******** > SYNOPSIS > ******** > > -.. code-block:: perl > - > - cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] > - [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] > - [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} > - > - > + cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] > + [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] > + [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} > > *********** > DESCRIPTION > *********** > > - > This tool is part of the cifs-utils suite. > > -\ **cifs.upcall**\ is a userspace helper program for the linux CIFS client > +``cifs.upcall`` is a userspace helper program for the linux CIFS client > filesystem. There are a number of activities that the kernel cannot > easily do itself. This program is a callout program that does these > things for the kernel and then returns the result. > > -\ **cifs.upcall**\ is generally intended to be run when the kernel calls > +``cifs.upcall`` is generally intended to be run when the kernel calls > request-key(8) for a particular key type. While it can be run > directly from the command-line, it's not generally intended to be run > that way. > > - > ******* > OPTIONS > ******* > > - > - > -\ **-c**\ > - > - This option is deprecated and is currently ignored. > - > - > - > -\ **--no-env-probe|-E**\ > - > - Normally, \ **cifs.upcall**\ will probe the environment variable space of > - the process that initiated the upcall in order to fetch the value of > - \ ``$KRB5CCNAME``\ . This can assist the program with finding credential > - caches in non-default locations. If this option is set, then the > - program won't do this and will rely on finding credcaches in the > - default locations specified in \ *krb5.conf*\ . Note that this is never > - performed when the uid is 0. The default credcache location is always > - used when the uid is 0, regardless of the environment variable setting > - in the process. > - > - > - > -\ **--krb5conf|-k=/path/to/krb5.conf**\ > - > - This option allows administrators to set an alternate location for the > - \ *krb5.conf*\ file that \ **cifs.upcall**\ will use. > - > - > - > -\ **--keytab=|-K=/path/to/keytab**\ > - > - This option allows administrators to specify a keytab file to be > - used. When a user has no credential cache already established, > - \ **cifs.upcall**\ will attempt to use this keytab to acquire them. The > - default is the system-wide keytab \ */etc/krb5.keytab*\ . > - > - > - > -\ **--trust-dns|-t**\ > - > - With krb5 upcalls, the name used as the host portion of the service > - principal defaults to the hostname portion of the UNC. This option > - allows the upcall program to reverse resolve the network address of > - the server in order to get the hostname. > - > - This is less secure than not trusting DNS. When using this option, > - it's possible that an attacker could get control of DNS and trick the > - client into mounting a different server altogether. It's preferable to > - instead add server principals to the KDC for every possible hostname, > - but this option exists for cases where that isn't possible. The > - default is to not trust reverse hostname lookups in this fashion. > - > - > - > -\ **--legacy-uid|-l**\ > - > - Traditionally, the kernel has sent only a single uid= parameter to the > - upcall for the SPNEGO upcall that's used to determine what user's > - credential cache to use. This parameter is affected by the \ **uid=**\ > - mount option, which also governs the ownership of files on the mount. > - > - Newer kernels send a creduid= option as well, which contains what uid > - it thinks actually owns the credentials that it's looking for. At > - mount time, this is generally set to the real uid of the user doing > - the mount. For multisession mounts, it's set to the fsuid of the mount > - user. Set this option if you want cifs.upcall to use the older \ **uid=**\ > - parameter instead of the creduid= parameter. > - > - > - > -\ **--version|-v**\ > - > - Print version number and exit. > - > - > - > +-c > + This option is deprecated and is currently ignored. > + > +--no-env-probe|-E > + Normally, ``cifs.upcall`` will probe the environment variable space of > + the process that initiated the upcall in order to fetch the value of > + ``$KRB5CCNAME``. This can assist the program with finding credential > + caches in non-default locations. If this option is set, then the > + program won't do this and will rely on finding credcaches in the > + default locations specified in *krb5.conf*. Note that this is never > + performed when the uid is 0. The default credcache location is always > + used when the uid is 0, regardless of the environment variable setting > + in the process. > + > +--krb5conf|-k=/path/to/krb5.conf > + This option allows administrators to set an alternate location for the > + *krb5.conf* file that ``cifs.upcall`` will use. > + > +--keytab=|-K=/path/to/keytab > + This option allows administrators to specify a keytab file to be > + used. When a user has no credential cache already established, > + ``cifs.upcall`` will attempt to use this keytab to acquire them. The > + default is the system-wide keytab */etc/krb5.keytab*. > + > +--trust-dns|-t > + With krb5 upcalls, the name used as the host portion of the service > + principal defaults to the hostname portion of the UNC. This option > + allows the upcall program to reverse resolve the network address of > + the server in order to get the hostname. > + > + This is less secure than not trusting DNS. When using this option, > + it's possible that an attacker could get control of DNS and trick the > + client into mounting a different server altogether. It's preferable to > + instead add server principals to the KDC for every possible hostname, > + but this option exists for cases where that isn't possible. The > + default is to not trust reverse hostname lookups in this fashion. > + > +--legacy-uid|-l > + Traditionally, the kernel has sent only a single uid= parameter to the > + upcall for the SPNEGO upcall that's used to determine what user's > + credential cache to use. This parameter is affected by the uid= > + mount option, which also governs the ownership of files on the mount. > + > + Newer kernels send a creduid= option as well, which contains what uid > + it thinks actually owns the credentials that it's looking for. At > + mount time, this is generally set to the real uid of the user doing > + the mount. For multisession mounts, it's set to the fsuid of the mount > + user. Set this option if you want cifs.upcall to use the older uid= > + parameter instead of the creduid= parameter. > + > +--version|-v > + Print version number and exit. > > ************************ > CONFIGURATION FOR KEYCTL > ************************ > > - > -\ **cifs.upcall**\ is designed to be called from the kernel via the > +``cifs.upcall`` is designed to be called from the kernel via the > request-key callout program. This requires that request-key be told > -where and how to call this program. The current \ **cifs.upcall**\ > +where and how to call this program. The current ``cifs.upcall`` > program handles two different key types: > > +cifs.spnego > + This keytype is for retrieving kerberos session keys > + > +dns_resolver > + This key type is for resolving hostnames into IP addresses. Support > + for this key type may eventually be deprecated (see below). > + > + To make this program useful for CIFS, you'll need to set up entries > + for them in request-key.conf(5). Here's an example of an entry for > + each key type:: > > -\ **cifs.spnego**\ > - > - This keytype is for retrieving kerberos session keys > - > - > - > -\ **dns_resolver**\ > - > - This key type is for resolving hostnames into IP addresses. Support > - for this key type may eventually be deprecated (see below). > - > - To make this program useful for CIFS, you'll need to set up entries > - for them in request-key.conf(5). Here's an example of an entry for > - each key type: > - > - > - .. code-block:: perl > - > #OPERATION TYPE D C PROGRAM ARG1 ARG2... > #========= ============= = = ================================ > create cifs.spnego * * @sbindir@/cifs.upcall %k > create dns_resolver * * @sbindir@/cifs.upcall %k > - > - > - See request-key.conf(5) for more info on each field. > - > - The keyutils package has also started including a dns_resolver > - handling program as well that is preferred over the one in > - \ **cifs.upcall.**\ If you are using a keyutils version equal to or > - greater than 1.5, you should use \ ``key.dns_resolver``\ to handle the > - \ ``dns_resolver``\ keytype instead of \ **cifs.upcall**\ . See > - key.dns_resolver(8) for more info. > - > > + See request-key.conf(5) for more info on each field. > > + The keyutils package has also started including a dns_resolver > + handling program as well that is preferred over the one in > + ``cifs.upcall``. If you are using a keyutils version equal to or > + greater than 1.5, you should use ``key.dns_resolver`` to handle the > + ``dns_resolver`` keytype instead of ``cifs.upcall``. See > + key.dns_resolver(8) for more info. > > ******** > SEE ALSO > ******** > > - > request-key.conf(5), mount.cifs(8), key.dns_resolver(8) > > - > ****** > AUTHOR > ****** > > - > Igor Mammedov wrote the cifs.upcall program. > > Jeff Layton authored this manpage. > @@ -187,4 +140,3 @@ The maintainer of the Linux CIFS VFS is Steve French. > > The Linux CIFS Mailing list is the preferred place to ask questions > regarding these programs. > - > diff --git a/cifscreds.rst b/cifscreds.rst > index 5c2a195..a6676cb 100644 > --- a/cifscreds.rst > +++ b/cifscreds.rst > @@ -5,125 +5,91 @@ cifscreds > ----------------------------------------- > manage NTLM credentials in kernel keyring > ----------------------------------------- > - > :Manual section: 1 > > ******** > SYNOPSIS > ******** > > - > -cifscreds add|clear|clearall|update [-u username] [-d] host|domain > - > + cifscreds add|clear|clearall|update [-u username] [-d] host|domain > > *********** > DESCRIPTION > *********** > > - > -The \ **cifscreds**\ program is a tool for managing credentials (username > +The ``cifscreds`` program is a tool for managing credentials (username > and password) for the purpose of establishing sessions in multiuser > mounts. > > When a cifs filesystem is mounted with the "multiuser" option, and does > not use krb5 authentication, it needs to be able to get the credentials > -for each user from somewhere. The \ **cifscreds**\ program is the tool used > +for each user from somewhere. The ``cifscreds`` program is the tool used > to provide these credentials to the kernel. > > The first non-option argument to cifscreds is a command (see the > -\ **COMMANDS**\ section below). The second non-option argument is a hostname > +`COMMANDS`_ section below). The second non-option argument is a hostname > or address, or an NT domain name. > > - > ******** > COMMANDS > ******** > > +add > + Add credentials to the kernel to be used for connecting to the given > + server, or servers in the given domain. > > +clear > + Clear credentials for a particular host or domain from the kernel. > > -\ **add**\ > - > - Add credentials to the kernel to be used for connecting to the given server, or servers in the given domain. > - > - > - > -\ **clear**\ > - > - Clear credentials for a particular host or domain from the kernel. > - > - > - > -\ **clearall**\ > - > - Clear all cifs credentials from the kernel. > - > - > - > -\ **update**\ > - > - Update stored credentials in the kernel with a new username and > - password. > - > - > +clearall > + Clear all cifs credentials from the kernel. > > +update > + Update stored credentials in the kernel with a new username and > + password. > > ******* > OPTIONS > ******* > > +-d, --domain > + The provided host/domain argument is a NT domainname. > > + Ordinarily the second argument provided to cifscreds is treated as a > + hostname or IP address. This option causes the cifscreds program to > + treat that argument as an NT domainname instead. > > -\ **-d**\ , \ **--domain**\ > - > - The provided host/domain argument is a NT domainname. > - > - Ordinarily the second argument provided to cifscreds is treated as a > - hostname or IP address. This option causes the cifscreds program to > - treat that argument as an NT domainname instead. > - > - If there are not host specific credentials for the mounted server, then > - the kernel will next look for a set of domain credentials equivalent to > - the domain= option provided at mount time. > - > - > - > -\ **-u**\ , \ **--username**\ > - > - Ordinarily, the username is derived from the unix username of the user > - adding the credentials. This option allows the user to substitute a > - different username. > - > - > + If there are not host specific credentials for the mounted server, then > + the kernel will next look for a set of domain credentials equivalent to > + the domain= option provided at mount time. > > +-u, --username > + Ordinarily, the username is derived from the unix username of the user > + adding the credentials. This option allows the user to substitute a > + different username. > > ***** > NOTES > ***** > > - > The cifscreds utility requires a kernel built with support for the > -\ **login**\ key type. That key type was added in v3.3 in mainline Linux > +``login`` key type. That key type was added in v3.3 in mainline Linux > kernels. > > -Since \ **cifscreds**\ adds keys to the session keyring, it is highly > -recommended that one use \ **pam_keyinit**\ to ensure that a session keyring > +Since ``cifscreds`` adds keys to the session keyring, it is highly > +recommended that one use ``pam_keyinit`` to ensure that a session keyring > is established at login time. > > - > ******** > SEE ALSO > ******** > > - > pam_keyinit(8) > > - > ******* > AUTHORS > ******* > > - > The cifscreds program was originally developed by Igor Druzhinin > <jaxbrigs@gmail.com>. This manpage and a redesign of the code was done > by Jeff Layton <jlayton@samba.org>. > - > diff --git a/getcifsacl.rst.in b/getcifsacl.rst.in > index 42af258..21a10cd 100644 > --- a/getcifsacl.rst.in > +++ b/getcifsacl.rst.in > @@ -7,80 +7,60 @@ Userspace helper to display an ACL in a security descriptor for Common Internet > -------------------------------------------------------------------------------------------------- > :Manual section: 1 > > - > ******** > SYNOPSIS > ******** > > - > -getcifsacl [-v|-r] {file system object} > - > + getcifsacl [-v|-r] {file system object} > > *********** > DESCRIPTION > *********** > > - > This tool is part of the cifs-utils suite. > > -getcifsacl is a userspace helper program for the Linux CIFS client > +``getcifsacl`` is a userspace helper program for the Linux CIFS client > file system. It is intended to display a security descriptor including > ACL for a file system object. > > This program uses a plugin to handle the mapping of SIDs to user and > -group names. \ *@pluginpath@*\ should be a symlink that points to the > +group names. *@pluginpath@* should be a symlink that points to the > correct plugin to use. > > Fields of an ACE such as SID, type, flags, and mask are displayed > -separated by /. Numeric values of type, flags, and mask are displayed > +separated by /. Numeric values of type, flags, and mask are displayed > in hexadecimal format. > > - > ******* > OPTIONS > ******* > > +-v > + Print version number and exit. > > - > -\ **-v**\ > - > - Print version number and exit. > - > - > - > -\ **-r**\ > - > - Display a security descriptor in raw mode. Values such as type and > - flags are displayed in hexadecimal format, a SID is not mapped to a > - name. > - > - > - > +-r > + Display a security descriptor in raw mode. Values such as type and > + flags are displayed in hexadecimal format, a SID is not mapped to a > + name. > > ***** > NOTES > ***** > > - > Kernel support for getcifsacl/setcifsacl utilities was initially > introduced in the 2.6.37 kernel. > > - > ******** > SEE ALSO > ******** > > - > mount.cifs(8), setcifsacl(1) > > - > ****** > AUTHOR > ****** > > - > Shirish Pargaonkar wrote the getcifsacl program. > > The Linux CIFS Mailing list is the preferred place to ask questions > regarding these programs. > - > diff --git a/idmapwb.rst.in b/idmapwb.rst.in > index 4d7fd62..c03e4ca 100644 > --- a/idmapwb.rst.in > +++ b/idmapwb.rst.in > @@ -7,31 +7,28 @@ winbind ID mapping plugin for cifs-utils > ---------------------------------------- > :Manual section: 8 > > - > *********** > DESCRIPTION > *********** > > - > This plugin allows the utilities in cifs-utils to work in conjuction with > the winbind facility of Samba suite. It handles several functions including > mapping UID and GID to SIDs and vice versa. > > Utilities are usually configured to use the correct plugin by creating a > -symlink at @pluginpath@ that points to the correct plugin that you wish > +symlink at *@pluginpath@* that points to the correct plugin that you wish > to use. > > -This plugin requires that \ **winbindd(8)**\ be properly configured and running. > +This plugin requires that winbindd(8) be properly configured and running. > > - > -******************************************************************************* > +******** > SEE ALSO > -******************************************************************************* > -getcifsacl(1), setcifsacl(1), cifs.idmap(8), samba(7), smb.conf(5), winbindd(8) > - > +******** > > +getcifsacl(1), setcifsacl(1), cifs.idmap(8), samba(7), smb.conf(5), winbindd(8) > > -***************************************************************** > +****** > AUTHOR > -***************************************************************** > +****** > + > idmapwb.so was written by Jeff Layton <jlayton@samba.org> > diff --git a/mount.cifs.rst b/mount.cifs.rst > index a81c6c4..c0f0bdb 100644 > --- a/mount.cifs.rst > +++ b/mount.cifs.rst > @@ -47,7 +47,6 @@ unmounted (usually via the ``umount`` utility). > OPTIONS > ******* > > - > username=arg|user=arg > specifies the username to connect as. If this is not > given, then the environment variable USER is used. > @@ -84,9 +83,9 @@ credentials=filename|cred=filename > password=value > domain=value > > - This is preferred over having passwords in plaintext in a shared file, > - such as ``/etc/fstab`` . Be sure to protect any credentials file > - properly. > + This is preferred over having passwords in plaintext in a shared file, > + such as */etc/fstab* . Be sure to protect any credentials file > + properly. > > uid=arg > sets the uid that will own all files or directories on the mounted > @@ -558,7 +557,7 @@ It's generally preferred to use forward slashes (/) as a delimiter in > service names. They are considered to be the "universal delimiter" > since they are generally not allowed to be embedded within path > components on Windows machines and the client can convert them to > -backslashes (\) unconditionally. Conversely, backslash characters are > +backslashes (\\) unconditionally. Conversely, backslash characters are > allowed by POSIX to be part of a path component, and can't be > automatically converted in the same way. > > diff --git a/pam_cifscreds.rst b/pam_cifscreds.rst > index 8e8308c..4e89bfd 100644 > --- a/pam_cifscreds.rst > +++ b/pam_cifscreds.rst > @@ -7,110 +7,83 @@ PAM module to manage NTLM credentials in kernel keyring > ------------------------------------------------------- > :Manual section: 8 > > - > ******** > SYNOPSIS > ******** > > - > Edit the PAM configuration files for the systems that you want to > -automatically register NTLM credentials for, e.g. /etc/pam.d/login, > -and modify as follows: > - > - > -.. code-block:: perl > +automatically register NTLM credentials for, e.g. */etc/pam.d/login*, > +and modify as follows:: > > ... > auth substack system-auth > +++ auth optional pam_cifscreds.so > auth include postlogin > ... > - > + > ... > session include system-auth > +++ session optional pam_cifscreds.so domain=DOMAIN > session include postlogin > ... > > - > Change DOMAIN to the name of you Windows domain, or use host= as > described below. > > - > *********** > DESCRIPTION > *********** > > - > -The \ **pam_cifscreds**\ PAM module is a tool for automatically adding > +The ``pam_cifscreds`` PAM module is a tool for automatically adding > credentials (username and password) for the purpose of establishing > sessions in multiuser mounts. > > When a cifs filesystem is mounted with the "multiuser" option, and does > not use krb5 authentication, it needs to be able to get the credentials > -for each user from somewhere. The \ **pam_cifscreds**\ module can be used > +for each user from somewhere. The ``pam_cifscreds`` module can be used > to provide these credentials to the kernel automatically at login. > > In the session section of the PAM configuration file, the module can > either an NT domain name or a list of hostname or addresses. > > - > ******* > OPTIONS > ******* > > +``pam_cifscreds`` supports a couple options which can be set in the PAM > +configuration files. You must have one (and only one) of ``domain=`` or > +``host=``. > > -\ **pam_cifscreds**\ supports a couple options which can be set in the PAM > -configuration files. You must have one (and only one) of domain= or > -host=. > - > - > -\ **debug**\ > - > - Turns on some extra debug logging. > - > - > - > -\ **domain**\ =<NT domain name> > - > - Credentials will be added for the specified NT domain name. > - > - > - > -\ **host**\ =<hostname or IP address>[,...] > - > - Credentials will be added for the specified hostnames or IP addresses. > - > +debug > + Turns on some extra debug logging. > > +domain=<NT domain name> > + Credentials will be added for the specified NT domain name. > > +host=<hostname or IP address>[,...] > + Credentials will be added for the specified hostnames or IP addresses. > > ***** > NOTES > ***** > > - > The pam_cifscreds PAM module requires a kernel built with support for > -the \ **login**\ key type. That key type was added in v3.3 in mainline Linux > +the ``login`` key type. That key type was added in v3.3 in mainline Linux > kernels. > > -Since \ **pam_cifscreds**\ adds keys to the session keyring, it is highly > -recommended that one use \ **pam_keyinit**\ to ensure that a session keyring > +Since ``pam_cifscreds`` adds keys to the session keyring, it is highly > +recommended that one use ``pam_keyinit`` to ensure that a session keyring > is established at login time. > > - > ******** > SEE ALSO > ******** > > - > cifscreds(1), pam_keyinit(8) > > - > ****** > AUTHOR > ****** > > - > The pam_cifscreds PAM module was developed by Orion Poplawski > <orion@nwra.com>. > - > diff --git a/setcifsacl.rst.in b/setcifsacl.rst.in > index ea981e2..de9c758 100644 > --- a/setcifsacl.rst.in > +++ b/setcifsacl.rst.in > @@ -7,179 +7,110 @@ Userspace helper to alter an ACL in a security descriptor for Common Internet Fi > ------------------------------------------------------------------------------------------------ > :Manual section: 1 > > - > ******** > SYNOPSIS > ******** > > - > -setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object} > - > + setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object} > > *********** > DESCRIPTION > *********** > > - > This tool is part of the cifs-utils suite. > > -\ **setcifsacl**\ is a userspace helper program for the Linux CIFS client > -file system. It is intended to alter an ACL of a security descriptor > -for a file system object. Whether a security descriptor to be set is > +``setcifsacl`` is a userspace helper program for the Linux CIFS client > +file system. It is intended to alter an ACL of a security descriptor > +for a file system object. Whether a security descriptor to be set is > applied or not is determined by the CIFS/SMB server. > > This program uses a plugin to handle the mapping of user and group > -names to SIDs. ``@pluginpath@`` should be a symlink that points to the > +names to SIDs. *@pluginpath@* should be a symlink that points to the > correct plugin to use. > > - > ******* > OPTIONS > ******* > > +-h > + Print usage message and exit. > > +-v > + Print version number and exit. > > -\ **-h**\ > - > - Print usage message and exit. > - > - > - > -\ **-v**\ > - > - Print version number and exit. > - > +-a > + Add one or more ACEs to an ACL of a security descriptor. An ACE is > + added even if the same ACE exists in the ACL. > > +-D > + Delete one or more ACEs from an ACL of a security descriptor. Entire > + ACE has to match in an existing ACL for the listed ACEs to be deleted. > > -\ **-a**\ > - > - Add one or more ACEs to an ACL of a security descriptor. An ACE is > - added even if the same ACE exists in the ACL. > - > +-M > + Modify one or more ACEs from an ACL of a security descriptor. SID and > + type are used to match for existing ACEs to be modified with the list > + of ACEs specified. > > +-S > + Set an ACL of security descriptor with the list of ACEs Existing ACL > + is replaced entirely with the specified ACEs. > > -\ **-D**\ > - > - Delete one or more ACEs from an ACL of a security descriptor. Entire > - ACE has to match in an existing ACL for the listed ACEs to be deleted. > - > - > - > -\ **-M**\ > - > - Modify one or more ACEs from an ACL of a security descriptor. SID and > - type are used to match for existing ACEs to be modified with the list > - of ACEs specified. > - > - > - > -\ **-S**\ > - > - Set an ACL of security descriptor with the list of ACEs Existing ACL > - is replaced entirely with the specified ACEs. > - > - Every ACE entry starts with "ACL:" One or more ACEs are specified > - within double quotes. Multiple ACEs are separated by a comma. > - > - Following fields of an ACE can be modified with possible values: > - > - > - \ **SID**\ - Either a name or a raw SID value. > - > - > - > - \ **type**\ - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6) > - > - > - > - \ **flags**\ - OBJECT_INHERIT_FLAG (OI or 0x1), CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or > - 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or 0x10) > - or a combination/OR of these values. > - > - > - > - \ **mask**\ - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value > - > - > - > + Every ACE entry starts with "ACL:" One or more ACEs are specified > + within double quotes. Multiple ACEs are separated by a comma. > > + Following fields of an ACE can be modified with possible values: > > + - ``SID`` - Either a name or a raw SID value. > + - ``type`` - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6) > + - ``flags`` - OBJECT_INHERIT_FLAG (OI or 0x1), > + CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI > + or 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or > + 0x10) or a combination/OR of these values. > + - ``mask`` - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value. > > ******** > EXAMPLES > ******** > > - > Add an ACE > ========== > > - > - > -.. code-block:: perl > - > - setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" <file_name> > - setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" <file_name> > - > - > + setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" <file_name> > + setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" <file_name> > > Delete an ACE > ============= > > - > - > -.. code-block:: perl > - > - setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name> > - > - > + setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name> > > Modify an ACE > ============= > > - > - > -.. code-block:: perl > - > - setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" <file_name> > - > - > + setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" <file_name> > > Set an ACL > ========== > > - > - > -.. code-block:: perl > - > - setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" <file_name> > - > - > - > + setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" <file_name> > > ***** > NOTES > ***** > > - > Kernel support for getcifsacl/setcifsacl utilities was initially > introduced in the 2.6.37 kernel. > > - > ******** > SEE ALSO > ******** > > - > mount.cifs(8), getcifsacl(1) > > - > ****** > AUTHOR > ****** > > - > Shirish Pargaonkar wrote the setcifsacl program. > > The Linux CIFS Mailing list is the preferred place to ask questions > regarding these programs. > - > -- > 2.13.6 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/cifs.idmap.rst.in b/cifs.idmap.rst.in index 91b585e..60d7f0a 100644 --- a/cifs.idmap.rst.in +++ b/cifs.idmap.rst.in @@ -11,124 +11,93 @@ Userspace helper for mapping ids for Common Internet File System (CIFS) SYNOPSIS ******** - -cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid} - + cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid} *********** DESCRIPTION *********** - This tool is part of the cifs-utils suite. -\ **cifs.idmap**\ is a userspace helper program for the linux CIFS client +``cifs.idmap`` is a userspace helper program for the linux CIFS client filesystem. There are a number of activities that the kernel cannot easily do itself. This program is a callout program that does these things for the kernel and then returns the result. -\ **cifs.idmap**\ is generally intended to be run when the kernel calls +``cifs.idmap`` is generally intended to be run when the kernel calls request-key(8) for a particular key type. While it can be run directly from the command-line, it is not generally intended to be run that way. -This program is only called if a share is mounted with the \ **cifsacl**\ +This program is only called if a share is mounted with the ``cifsacl`` mount option. The kernel will only upcall to do this conversion if that mount option is specified. -\ **cifs.idmap**\ relies on a plugin to handle the ID mapping. If it can't +``cifs.idmap`` relies on a plugin to handle the ID mapping. If it can't find the plugin then it will not work properly. The plugin (or a symlink to it) must be at @pluginpath@. -In the case where \ **cifs.idmap**\ or the plugin are unavailable, file +In the case where ``cifs.idmap`` or the plugin are unavailable, file objects in a mounted share are assigned uid and gid of the credentials of the process that mounted the share. It is strongly recomemended to use mount options of uid and gid to specify a default uid and gid to map owner SIDs and group SIDs in this situation. - ******* OPTIONS ******* +--help|-h + Print the usage message and exit. +--timeout|-t + Set the expiration timer, in seconds on the key. The default is 600 + seconds (10 minutes). Setting this to 0 will cause the key to never + expire. -\ **--help|-h**\ - - Print the usage message and exit. - - - -\ **--timeout|-t**\ - - Set the expiration timer, in seconds on the key. The default is 600 - seconds (10 minutes). Setting this to 0 will cause the key to never - expire. - - - -\ **--version|-v**\ - - Print version number and exit. - - - +--version|-v + Print version number and exit. ************************ CONFIGURATION FOR KEYCTL ************************ - -\ **cifs.idmap**\ is designed to be called from the kernel via the +``cifs.idmap`` is designed to be called from the kernel via the request-key callout program. This requires that request-key be told -where and how to call this program. Currently \ **cifs.idmap**\ handles a -key type of: +where and how to call this program. Currently ``cifs.idmap`` handles a +key type of:: + cifs.idmap -\ **cifs.idmap**\ - - This keytype is for mapping a SID to either an uid or a gid - - +This keytype is for mapping a SID to either an uid or a gid. To make this program useful for CIFS, you will need to set up entry for it in -request-key.conf(5). Here is an example of an entry for this key type: - - -.. code-block:: perl +request-key.conf(5). Here is an example of an entry for this key type:: #OPERATION TYPE D C PROGRAM ARG1 ARG2... #========= ============= = = ================================ create cifs.idmap * * @sbindir@/cifs.idmap %k - See request-key.conf(5) for more info on each field. - ***** NOTES ***** - Support for upcalls to cifs.idmap was initially introduced in the 3.0 kernel. - ******** SEE ALSO ******** - request-key.conf(5), mount.cifs(8) - ****** AUTHOR ****** - Shirish Pargaonkar wrote the cifs.idmap program. The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs. - diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in index 8f4ee62..1b8df3f 100644 --- a/cifs.upcall.rst.in +++ b/cifs.upcall.rst.in @@ -7,178 +7,131 @@ Userspace upcall helper for Common Internet File System (CIFS) -------------------------------------------------------------- :Manual section: 8 - ******** SYNOPSIS ******** -.. code-block:: perl - - cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] - [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] - [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} - - + cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] + [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] + [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} *********** DESCRIPTION *********** - This tool is part of the cifs-utils suite. -\ **cifs.upcall**\ is a userspace helper program for the linux CIFS client +``cifs.upcall`` is a userspace helper program for the linux CIFS client filesystem. There are a number of activities that the kernel cannot easily do itself. This program is a callout program that does these things for the kernel and then returns the result. -\ **cifs.upcall**\ is generally intended to be run when the kernel calls +``cifs.upcall`` is generally intended to be run when the kernel calls request-key(8) for a particular key type. While it can be run directly from the command-line, it's not generally intended to be run that way. - ******* OPTIONS ******* - - -\ **-c**\ - - This option is deprecated and is currently ignored. - - - -\ **--no-env-probe|-E**\ - - Normally, \ **cifs.upcall**\ will probe the environment variable space of - the process that initiated the upcall in order to fetch the value of - \ ``$KRB5CCNAME``\ . This can assist the program with finding credential - caches in non-default locations. If this option is set, then the - program won't do this and will rely on finding credcaches in the - default locations specified in \ *krb5.conf*\ . Note that this is never - performed when the uid is 0. The default credcache location is always - used when the uid is 0, regardless of the environment variable setting - in the process. - - - -\ **--krb5conf|-k=/path/to/krb5.conf**\ - - This option allows administrators to set an alternate location for the - \ *krb5.conf*\ file that \ **cifs.upcall**\ will use. - - - -\ **--keytab=|-K=/path/to/keytab**\ - - This option allows administrators to specify a keytab file to be - used. When a user has no credential cache already established, - \ **cifs.upcall**\ will attempt to use this keytab to acquire them. The - default is the system-wide keytab \ */etc/krb5.keytab*\ . - - - -\ **--trust-dns|-t**\ - - With krb5 upcalls, the name used as the host portion of the service - principal defaults to the hostname portion of the UNC. This option - allows the upcall program to reverse resolve the network address of - the server in order to get the hostname. - - This is less secure than not trusting DNS. When using this option, - it's possible that an attacker could get control of DNS and trick the - client into mounting a different server altogether. It's preferable to - instead add server principals to the KDC for every possible hostname, - but this option exists for cases where that isn't possible. The - default is to not trust reverse hostname lookups in this fashion. - - - -\ **--legacy-uid|-l**\ - - Traditionally, the kernel has sent only a single uid= parameter to the - upcall for the SPNEGO upcall that's used to determine what user's - credential cache to use. This parameter is affected by the \ **uid=**\ - mount option, which also governs the ownership of files on the mount. - - Newer kernels send a creduid= option as well, which contains what uid - it thinks actually owns the credentials that it's looking for. At - mount time, this is generally set to the real uid of the user doing - the mount. For multisession mounts, it's set to the fsuid of the mount - user. Set this option if you want cifs.upcall to use the older \ **uid=**\ - parameter instead of the creduid= parameter. - - - -\ **--version|-v**\ - - Print version number and exit. - - - +-c + This option is deprecated and is currently ignored. + +--no-env-probe|-E + Normally, ``cifs.upcall`` will probe the environment variable space of + the process that initiated the upcall in order to fetch the value of + ``$KRB5CCNAME``. This can assist the program with finding credential + caches in non-default locations. If this option is set, then the + program won't do this and will rely on finding credcaches in the + default locations specified in *krb5.conf*. Note that this is never + performed when the uid is 0. The default credcache location is always + used when the uid is 0, regardless of the environment variable setting + in the process. + +--krb5conf|-k=/path/to/krb5.conf + This option allows administrators to set an alternate location for the + *krb5.conf* file that ``cifs.upcall`` will use. + +--keytab=|-K=/path/to/keytab + This option allows administrators to specify a keytab file to be + used. When a user has no credential cache already established, + ``cifs.upcall`` will attempt to use this keytab to acquire them. The + default is the system-wide keytab */etc/krb5.keytab*. + +--trust-dns|-t + With krb5 upcalls, the name used as the host portion of the service + principal defaults to the hostname portion of the UNC. This option + allows the upcall program to reverse resolve the network address of + the server in order to get the hostname. + + This is less secure than not trusting DNS. When using this option, + it's possible that an attacker could get control of DNS and trick the + client into mounting a different server altogether. It's preferable to + instead add server principals to the KDC for every possible hostname, + but this option exists for cases where that isn't possible. The + default is to not trust reverse hostname lookups in this fashion. + +--legacy-uid|-l + Traditionally, the kernel has sent only a single uid= parameter to the + upcall for the SPNEGO upcall that's used to determine what user's + credential cache to use. This parameter is affected by the uid= + mount option, which also governs the ownership of files on the mount. + + Newer kernels send a creduid= option as well, which contains what uid + it thinks actually owns the credentials that it's looking for. At + mount time, this is generally set to the real uid of the user doing + the mount. For multisession mounts, it's set to the fsuid of the mount + user. Set this option if you want cifs.upcall to use the older uid= + parameter instead of the creduid= parameter. + +--version|-v + Print version number and exit. ************************ CONFIGURATION FOR KEYCTL ************************ - -\ **cifs.upcall**\ is designed to be called from the kernel via the +``cifs.upcall`` is designed to be called from the kernel via the request-key callout program. This requires that request-key be told -where and how to call this program. The current \ **cifs.upcall**\ +where and how to call this program. The current ``cifs.upcall`` program handles two different key types: +cifs.spnego + This keytype is for retrieving kerberos session keys + +dns_resolver + This key type is for resolving hostnames into IP addresses. Support + for this key type may eventually be deprecated (see below). + + To make this program useful for CIFS, you'll need to set up entries + for them in request-key.conf(5). Here's an example of an entry for + each key type:: -\ **cifs.spnego**\ - - This keytype is for retrieving kerberos session keys - - - -\ **dns_resolver**\ - - This key type is for resolving hostnames into IP addresses. Support - for this key type may eventually be deprecated (see below). - - To make this program useful for CIFS, you'll need to set up entries - for them in request-key.conf(5). Here's an example of an entry for - each key type: - - - .. code-block:: perl - #OPERATION TYPE D C PROGRAM ARG1 ARG2... #========= ============= = = ================================ create cifs.spnego * * @sbindir@/cifs.upcall %k create dns_resolver * * @sbindir@/cifs.upcall %k - - - See request-key.conf(5) for more info on each field. - - The keyutils package has also started including a dns_resolver - handling program as well that is preferred over the one in - \ **cifs.upcall.**\ If you are using a keyutils version equal to or - greater than 1.5, you should use \ ``key.dns_resolver``\ to handle the - \ ``dns_resolver``\ keytype instead of \ **cifs.upcall**\ . See - key.dns_resolver(8) for more info. - + See request-key.conf(5) for more info on each field. + The keyutils package has also started including a dns_resolver + handling program as well that is preferred over the one in + ``cifs.upcall``. If you are using a keyutils version equal to or + greater than 1.5, you should use ``key.dns_resolver`` to handle the + ``dns_resolver`` keytype instead of ``cifs.upcall``. See + key.dns_resolver(8) for more info. ******** SEE ALSO ******** - request-key.conf(5), mount.cifs(8), key.dns_resolver(8) - ****** AUTHOR ****** - Igor Mammedov wrote the cifs.upcall program. Jeff Layton authored this manpage. @@ -187,4 +140,3 @@ The maintainer of the Linux CIFS VFS is Steve French. The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs. - diff --git a/cifscreds.rst b/cifscreds.rst index 5c2a195..a6676cb 100644 --- a/cifscreds.rst +++ b/cifscreds.rst @@ -5,125 +5,91 @@ cifscreds ----------------------------------------- manage NTLM credentials in kernel keyring ----------------------------------------- - :Manual section: 1 ******** SYNOPSIS ******** - -cifscreds add|clear|clearall|update [-u username] [-d] host|domain - + cifscreds add|clear|clearall|update [-u username] [-d] host|domain *********** DESCRIPTION *********** - -The \ **cifscreds**\ program is a tool for managing credentials (username +The ``cifscreds`` program is a tool for managing credentials (username and password) for the purpose of establishing sessions in multiuser mounts. When a cifs filesystem is mounted with the "multiuser" option, and does not use krb5 authentication, it needs to be able to get the credentials -for each user from somewhere. The \ **cifscreds**\ program is the tool used +for each user from somewhere. The ``cifscreds`` program is the tool used to provide these credentials to the kernel. The first non-option argument to cifscreds is a command (see the -\ **COMMANDS**\ section below). The second non-option argument is a hostname +`COMMANDS`_ section below). The second non-option argument is a hostname or address, or an NT domain name. - ******** COMMANDS ******** +add + Add credentials to the kernel to be used for connecting to the given + server, or servers in the given domain. +clear + Clear credentials for a particular host or domain from the kernel. -\ **add**\ - - Add credentials to the kernel to be used for connecting to the given server, or servers in the given domain. - - - -\ **clear**\ - - Clear credentials for a particular host or domain from the kernel. - - - -\ **clearall**\ - - Clear all cifs credentials from the kernel. - - - -\ **update**\ - - Update stored credentials in the kernel with a new username and - password. - - +clearall + Clear all cifs credentials from the kernel. +update + Update stored credentials in the kernel with a new username and + password. ******* OPTIONS ******* +-d, --domain + The provided host/domain argument is a NT domainname. + Ordinarily the second argument provided to cifscreds is treated as a + hostname or IP address. This option causes the cifscreds program to + treat that argument as an NT domainname instead. -\ **-d**\ , \ **--domain**\ - - The provided host/domain argument is a NT domainname. - - Ordinarily the second argument provided to cifscreds is treated as a - hostname or IP address. This option causes the cifscreds program to - treat that argument as an NT domainname instead. - - If there are not host specific credentials for the mounted server, then - the kernel will next look for a set of domain credentials equivalent to - the domain= option provided at mount time. - - - -\ **-u**\ , \ **--username**\ - - Ordinarily, the username is derived from the unix username of the user - adding the credentials. This option allows the user to substitute a - different username. - - + If there are not host specific credentials for the mounted server, then + the kernel will next look for a set of domain credentials equivalent to + the domain= option provided at mount time. +-u, --username + Ordinarily, the username is derived from the unix username of the user + adding the credentials. This option allows the user to substitute a + different username. ***** NOTES ***** - The cifscreds utility requires a kernel built with support for the -\ **login**\ key type. That key type was added in v3.3 in mainline Linux +``login`` key type. That key type was added in v3.3 in mainline Linux kernels. -Since \ **cifscreds**\ adds keys to the session keyring, it is highly -recommended that one use \ **pam_keyinit**\ to ensure that a session keyring +Since ``cifscreds`` adds keys to the session keyring, it is highly +recommended that one use ``pam_keyinit`` to ensure that a session keyring is established at login time. - ******** SEE ALSO ******** - pam_keyinit(8) - ******* AUTHORS ******* - The cifscreds program was originally developed by Igor Druzhinin <jaxbrigs@gmail.com>. This manpage and a redesign of the code was done by Jeff Layton <jlayton@samba.org>. - diff --git a/getcifsacl.rst.in b/getcifsacl.rst.in index 42af258..21a10cd 100644 --- a/getcifsacl.rst.in +++ b/getcifsacl.rst.in @@ -7,80 +7,60 @@ Userspace helper to display an ACL in a security descriptor for Common Internet -------------------------------------------------------------------------------------------------- :Manual section: 1 - ******** SYNOPSIS ******** - -getcifsacl [-v|-r] {file system object} - + getcifsacl [-v|-r] {file system object} *********** DESCRIPTION *********** - This tool is part of the cifs-utils suite. -getcifsacl is a userspace helper program for the Linux CIFS client +``getcifsacl`` is a userspace helper program for the Linux CIFS client file system. It is intended to display a security descriptor including ACL for a file system object. This program uses a plugin to handle the mapping of SIDs to user and -group names. \ *@pluginpath@*\ should be a symlink that points to the +group names. *@pluginpath@* should be a symlink that points to the correct plugin to use. Fields of an ACE such as SID, type, flags, and mask are displayed -separated by /. Numeric values of type, flags, and mask are displayed +separated by /. Numeric values of type, flags, and mask are displayed in hexadecimal format. - ******* OPTIONS ******* +-v + Print version number and exit. - -\ **-v**\ - - Print version number and exit. - - - -\ **-r**\ - - Display a security descriptor in raw mode. Values such as type and - flags are displayed in hexadecimal format, a SID is not mapped to a - name. - - - +-r + Display a security descriptor in raw mode. Values such as type and + flags are displayed in hexadecimal format, a SID is not mapped to a + name. ***** NOTES ***** - Kernel support for getcifsacl/setcifsacl utilities was initially introduced in the 2.6.37 kernel. - ******** SEE ALSO ******** - mount.cifs(8), setcifsacl(1) - ****** AUTHOR ****** - Shirish Pargaonkar wrote the getcifsacl program. The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs. - diff --git a/idmapwb.rst.in b/idmapwb.rst.in index 4d7fd62..c03e4ca 100644 --- a/idmapwb.rst.in +++ b/idmapwb.rst.in @@ -7,31 +7,28 @@ winbind ID mapping plugin for cifs-utils ---------------------------------------- :Manual section: 8 - *********** DESCRIPTION *********** - This plugin allows the utilities in cifs-utils to work in conjuction with the winbind facility of Samba suite. It handles several functions including mapping UID and GID to SIDs and vice versa. Utilities are usually configured to use the correct plugin by creating a -symlink at @pluginpath@ that points to the correct plugin that you wish +symlink at *@pluginpath@* that points to the correct plugin that you wish to use. -This plugin requires that \ **winbindd(8)**\ be properly configured and running. +This plugin requires that winbindd(8) be properly configured and running. - -******************************************************************************* +******** SEE ALSO -******************************************************************************* -getcifsacl(1), setcifsacl(1), cifs.idmap(8), samba(7), smb.conf(5), winbindd(8) - +******** +getcifsacl(1), setcifsacl(1), cifs.idmap(8), samba(7), smb.conf(5), winbindd(8) -***************************************************************** +****** AUTHOR -***************************************************************** +****** + idmapwb.so was written by Jeff Layton <jlayton@samba.org> diff --git a/mount.cifs.rst b/mount.cifs.rst index a81c6c4..c0f0bdb 100644 --- a/mount.cifs.rst +++ b/mount.cifs.rst @@ -47,7 +47,6 @@ unmounted (usually via the ``umount`` utility). OPTIONS ******* - username=arg|user=arg specifies the username to connect as. If this is not given, then the environment variable USER is used. @@ -84,9 +83,9 @@ credentials=filename|cred=filename password=value domain=value - This is preferred over having passwords in plaintext in a shared file, - such as ``/etc/fstab`` . Be sure to protect any credentials file - properly. + This is preferred over having passwords in plaintext in a shared file, + such as */etc/fstab* . Be sure to protect any credentials file + properly. uid=arg sets the uid that will own all files or directories on the mounted @@ -558,7 +557,7 @@ It's generally preferred to use forward slashes (/) as a delimiter in service names. They are considered to be the "universal delimiter" since they are generally not allowed to be embedded within path components on Windows machines and the client can convert them to -backslashes (\) unconditionally. Conversely, backslash characters are +backslashes (\\) unconditionally. Conversely, backslash characters are allowed by POSIX to be part of a path component, and can't be automatically converted in the same way. diff --git a/pam_cifscreds.rst b/pam_cifscreds.rst index 8e8308c..4e89bfd 100644 --- a/pam_cifscreds.rst +++ b/pam_cifscreds.rst @@ -7,110 +7,83 @@ PAM module to manage NTLM credentials in kernel keyring ------------------------------------------------------- :Manual section: 8 - ******** SYNOPSIS ******** - Edit the PAM configuration files for the systems that you want to -automatically register NTLM credentials for, e.g. /etc/pam.d/login, -and modify as follows: - - -.. code-block:: perl +automatically register NTLM credentials for, e.g. */etc/pam.d/login*, +and modify as follows:: ... auth substack system-auth +++ auth optional pam_cifscreds.so auth include postlogin ... - + ... session include system-auth +++ session optional pam_cifscreds.so domain=DOMAIN session include postlogin ... - Change DOMAIN to the name of you Windows domain, or use host= as described below. - *********** DESCRIPTION *********** - -The \ **pam_cifscreds**\ PAM module is a tool for automatically adding +The ``pam_cifscreds`` PAM module is a tool for automatically adding credentials (username and password) for the purpose of establishing sessions in multiuser mounts. When a cifs filesystem is mounted with the "multiuser" option, and does not use krb5 authentication, it needs to be able to get the credentials -for each user from somewhere. The \ **pam_cifscreds**\ module can be used +for each user from somewhere. The ``pam_cifscreds`` module can be used to provide these credentials to the kernel automatically at login. In the session section of the PAM configuration file, the module can either an NT domain name or a list of hostname or addresses. - ******* OPTIONS ******* +``pam_cifscreds`` supports a couple options which can be set in the PAM +configuration files. You must have one (and only one) of ``domain=`` or +``host=``. -\ **pam_cifscreds**\ supports a couple options which can be set in the PAM -configuration files. You must have one (and only one) of domain= or -host=. - - -\ **debug**\ - - Turns on some extra debug logging. - - - -\ **domain**\ =<NT domain name> - - Credentials will be added for the specified NT domain name. - - - -\ **host**\ =<hostname or IP address>[,...] - - Credentials will be added for the specified hostnames or IP addresses. - +debug + Turns on some extra debug logging. +domain=<NT domain name> + Credentials will be added for the specified NT domain name. +host=<hostname or IP address>[,...] + Credentials will be added for the specified hostnames or IP addresses. ***** NOTES ***** - The pam_cifscreds PAM module requires a kernel built with support for -the \ **login**\ key type. That key type was added in v3.3 in mainline Linux +the ``login`` key type. That key type was added in v3.3 in mainline Linux kernels. -Since \ **pam_cifscreds**\ adds keys to the session keyring, it is highly -recommended that one use \ **pam_keyinit**\ to ensure that a session keyring +Since ``pam_cifscreds`` adds keys to the session keyring, it is highly +recommended that one use ``pam_keyinit`` to ensure that a session keyring is established at login time. - ******** SEE ALSO ******** - cifscreds(1), pam_keyinit(8) - ****** AUTHOR ****** - The pam_cifscreds PAM module was developed by Orion Poplawski <orion@nwra.com>. - diff --git a/setcifsacl.rst.in b/setcifsacl.rst.in index ea981e2..de9c758 100644 --- a/setcifsacl.rst.in +++ b/setcifsacl.rst.in @@ -7,179 +7,110 @@ Userspace helper to alter an ACL in a security descriptor for Common Internet Fi ------------------------------------------------------------------------------------------------ :Manual section: 1 - ******** SYNOPSIS ******** - -setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object} - + setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object} *********** DESCRIPTION *********** - This tool is part of the cifs-utils suite. -\ **setcifsacl**\ is a userspace helper program for the Linux CIFS client -file system. It is intended to alter an ACL of a security descriptor -for a file system object. Whether a security descriptor to be set is +``setcifsacl`` is a userspace helper program for the Linux CIFS client +file system. It is intended to alter an ACL of a security descriptor +for a file system object. Whether a security descriptor to be set is applied or not is determined by the CIFS/SMB server. This program uses a plugin to handle the mapping of user and group -names to SIDs. ``@pluginpath@`` should be a symlink that points to the +names to SIDs. *@pluginpath@* should be a symlink that points to the correct plugin to use. - ******* OPTIONS ******* +-h + Print usage message and exit. +-v + Print version number and exit. -\ **-h**\ - - Print usage message and exit. - - - -\ **-v**\ - - Print version number and exit. - +-a + Add one or more ACEs to an ACL of a security descriptor. An ACE is + added even if the same ACE exists in the ACL. +-D + Delete one or more ACEs from an ACL of a security descriptor. Entire + ACE has to match in an existing ACL for the listed ACEs to be deleted. -\ **-a**\ - - Add one or more ACEs to an ACL of a security descriptor. An ACE is - added even if the same ACE exists in the ACL. - +-M + Modify one or more ACEs from an ACL of a security descriptor. SID and + type are used to match for existing ACEs to be modified with the list + of ACEs specified. +-S + Set an ACL of security descriptor with the list of ACEs Existing ACL + is replaced entirely with the specified ACEs. -\ **-D**\ - - Delete one or more ACEs from an ACL of a security descriptor. Entire - ACE has to match in an existing ACL for the listed ACEs to be deleted. - - - -\ **-M**\ - - Modify one or more ACEs from an ACL of a security descriptor. SID and - type are used to match for existing ACEs to be modified with the list - of ACEs specified. - - - -\ **-S**\ - - Set an ACL of security descriptor with the list of ACEs Existing ACL - is replaced entirely with the specified ACEs. - - Every ACE entry starts with "ACL:" One or more ACEs are specified - within double quotes. Multiple ACEs are separated by a comma. - - Following fields of an ACE can be modified with possible values: - - - \ **SID**\ - Either a name or a raw SID value. - - - - \ **type**\ - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6) - - - - \ **flags**\ - OBJECT_INHERIT_FLAG (OI or 0x1), CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or - 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or 0x10) - or a combination/OR of these values. - - - - \ **mask**\ - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value - - - + Every ACE entry starts with "ACL:" One or more ACEs are specified + within double quotes. Multiple ACEs are separated by a comma. + Following fields of an ACE can be modified with possible values: + - ``SID`` - Either a name or a raw SID value. + - ``type`` - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6) + - ``flags`` - OBJECT_INHERIT_FLAG (OI or 0x1), + CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI + or 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or + 0x10) or a combination/OR of these values. + - ``mask`` - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value. ******** EXAMPLES ******** - Add an ACE ========== - - -.. code-block:: perl - - setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" <file_name> - setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" <file_name> - - + setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" <file_name> + setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" <file_name> Delete an ACE ============= - - -.. code-block:: perl - - setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name> - - + setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name> Modify an ACE ============= - - -.. code-block:: perl - - setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" <file_name> - - + setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" <file_name> Set an ACL ========== - - -.. code-block:: perl - - setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" <file_name> - - - + setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" <file_name> ***** NOTES ***** - Kernel support for getcifsacl/setcifsacl utilities was initially introduced in the 2.6.37 kernel. - ******** SEE ALSO ******** - mount.cifs(8), getcifsacl(1) - ****** AUTHOR ****** - Shirish Pargaonkar wrote the setcifsacl program. The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs. -
Signed-off-by: Aurelien Aptel <aaptel@suse.com> --- cifs.idmap.rst.in | 71 ++++++------------- cifs.upcall.rst.in | 200 ++++++++++++++++++++--------------------------------- cifscreds.rst | 92 ++++++++---------------- getcifsacl.rst.in | 40 +++-------- idmapwb.rst.in | 19 +++-- mount.cifs.rst | 9 ++- pam_cifscreds.rst | 61 +++++----------- setcifsacl.rst.in | 143 ++++++++++---------------------------- 8 files changed, 201 insertions(+), 434 deletions(-)