diff --git a/0001-docs-cleanup-rst-formating.patch b/0001-docs-cleanup-rst-formating.patch deleted file mode 100644 index 689c81c..0000000 --- a/0001-docs-cleanup-rst-formating.patch +++ /dev/null @@ -1,1120 +0,0 @@ -From 81dcfb24f54a5757f7c9fe08285bf527b8333506 Mon Sep 17 00:00:00 2001 -From: Aurelien Aptel -Date: Tue, 15 May 2018 10:12:32 +0200 -Subject: [PATCH 01/10] docs: cleanup rst formating - -Signed-off-by: Aurelien Aptel -Reviewed-by: Steve French -Reviewed-by: Pavel Shilovsky ---- - cifs.idmap.rst.in | 71 ++++++------------- - cifs.upcall.rst.in | 200 ++++++++++++++++++++--------------------------------- - cifscreds.rst | 92 ++++++++---------------- - getcifsacl.rst.in | 40 +++-------- - idmapwb.rst.in | 19 +++-- - mount.cifs.rst | 9 ++- - pam_cifscreds.rst | 61 +++++----------- - setcifsacl.rst.in | 143 ++++++++++---------------------------- - 8 files changed, 201 insertions(+), 434 deletions(-) - -diff --git a/cifs.idmap.rst.in b/cifs.idmap.rst.in -index 91b585e..60d7f0a 100644 ---- a/cifs.idmap.rst.in -+++ b/cifs.idmap.rst.in -@@ -11,124 +11,93 @@ Userspace helper for mapping ids for Common Internet File System (CIFS) - SYNOPSIS - ******** - -- --cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid} -- -+ cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid} - - *********** - DESCRIPTION - *********** - -- - This tool is part of the cifs-utils suite. - --\ **cifs.idmap**\ is a userspace helper program for the linux CIFS client -+``cifs.idmap`` is a userspace helper program for the linux CIFS client - filesystem. There are a number of activities that the kernel cannot - easily do itself. This program is a callout program that does these - things for the kernel and then returns the result. - --\ **cifs.idmap**\ is generally intended to be run when the kernel calls -+``cifs.idmap`` is generally intended to be run when the kernel calls - request-key(8) for a particular key type. While it can be run - directly from the command-line, it is not generally intended to be run - that way. - --This program is only called if a share is mounted with the \ **cifsacl**\ -+This program is only called if a share is mounted with the ``cifsacl`` - mount option. The kernel will only upcall to do this conversion if - that mount option is specified. - --\ **cifs.idmap**\ relies on a plugin to handle the ID mapping. If it can't -+``cifs.idmap`` relies on a plugin to handle the ID mapping. If it can't - find the plugin then it will not work properly. The plugin (or a - symlink to it) must be at @pluginpath@. - --In the case where \ **cifs.idmap**\ or the plugin are unavailable, file -+In the case where ``cifs.idmap`` or the plugin are unavailable, file - objects in a mounted share are assigned uid and gid of the credentials - of the process that mounted the share. It is strongly recomemended to - use mount options of uid and gid to specify a default uid and gid to - map owner SIDs and group SIDs in this situation. - -- - ******* - OPTIONS - ******* - -+--help|-h -+ Print the usage message and exit. - -+--timeout|-t -+ Set the expiration timer, in seconds on the key. The default is 600 -+ seconds (10 minutes). Setting this to 0 will cause the key to never -+ expire. - --\ **--help|-h**\ -- -- Print the usage message and exit. -- -- -- --\ **--timeout|-t**\ -- -- Set the expiration timer, in seconds on the key. The default is 600 -- seconds (10 minutes). Setting this to 0 will cause the key to never -- expire. -- -- -- --\ **--version|-v**\ -- -- Print version number and exit. -- -- -- -+--version|-v -+ Print version number and exit. - - ************************ - CONFIGURATION FOR KEYCTL - ************************ - -- --\ **cifs.idmap**\ is designed to be called from the kernel via the -+``cifs.idmap`` is designed to be called from the kernel via the - request-key callout program. This requires that request-key be told --where and how to call this program. Currently \ **cifs.idmap**\ handles a --key type of: -+where and how to call this program. Currently ``cifs.idmap`` handles a -+key type of:: - -+ cifs.idmap - --\ **cifs.idmap**\ -- -- This keytype is for mapping a SID to either an uid or a gid -- -- -+This keytype is for mapping a SID to either an uid or a gid. - - To make this program useful for CIFS, you will need to set up entry for it in --request-key.conf(5). Here is an example of an entry for this key type: -- -- --.. code-block:: perl -+request-key.conf(5). Here is an example of an entry for this key type:: - - #OPERATION TYPE D C PROGRAM ARG1 ARG2... - #========= ============= = = ================================ - create cifs.idmap * * @sbindir@/cifs.idmap %k - -- - See request-key.conf(5) for more info on each field. - -- - ***** - NOTES - ***** - -- - Support for upcalls to cifs.idmap was initially introduced in the 3.0 - kernel. - -- - ******** - SEE ALSO - ******** - -- - request-key.conf(5), mount.cifs(8) - -- - ****** - AUTHOR - ****** - -- - Shirish Pargaonkar wrote the cifs.idmap program. - - The Linux CIFS Mailing list is the preferred place to ask questions - regarding these programs. -- -diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in -index 8f4ee62..1b8df3f 100644 ---- a/cifs.upcall.rst.in -+++ b/cifs.upcall.rst.in -@@ -7,178 +7,131 @@ Userspace upcall helper for Common Internet File System (CIFS) - -------------------------------------------------------------- - :Manual section: 8 - -- - ******** - SYNOPSIS - ******** - --.. code-block:: perl -- -- cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] -- [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] -- [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} -- -- -+ cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] -+ [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] -+ [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} - - *********** - DESCRIPTION - *********** - -- - This tool is part of the cifs-utils suite. - --\ **cifs.upcall**\ is a userspace helper program for the linux CIFS client -+``cifs.upcall`` is a userspace helper program for the linux CIFS client - filesystem. There are a number of activities that the kernel cannot - easily do itself. This program is a callout program that does these - things for the kernel and then returns the result. - --\ **cifs.upcall**\ is generally intended to be run when the kernel calls -+``cifs.upcall`` is generally intended to be run when the kernel calls - request-key(8) for a particular key type. While it can be run - directly from the command-line, it's not generally intended to be run - that way. - -- - ******* - OPTIONS - ******* - -- -- --\ **-c**\ -- -- This option is deprecated and is currently ignored. -- -- -- --\ **--no-env-probe|-E**\ -- -- Normally, \ **cifs.upcall**\ will probe the environment variable space of -- the process that initiated the upcall in order to fetch the value of -- \ ``$KRB5CCNAME``\ . This can assist the program with finding credential -- caches in non-default locations. If this option is set, then the -- program won't do this and will rely on finding credcaches in the -- default locations specified in \ *krb5.conf*\ . Note that this is never -- performed when the uid is 0. The default credcache location is always -- used when the uid is 0, regardless of the environment variable setting -- in the process. -- -- -- --\ **--krb5conf|-k=/path/to/krb5.conf**\ -- -- This option allows administrators to set an alternate location for the -- \ *krb5.conf*\ file that \ **cifs.upcall**\ will use. -- -- -- --\ **--keytab=|-K=/path/to/keytab**\ -- -- This option allows administrators to specify a keytab file to be -- used. When a user has no credential cache already established, -- \ **cifs.upcall**\ will attempt to use this keytab to acquire them. The -- default is the system-wide keytab \ */etc/krb5.keytab*\ . -- -- -- --\ **--trust-dns|-t**\ -- -- With krb5 upcalls, the name used as the host portion of the service -- principal defaults to the hostname portion of the UNC. This option -- allows the upcall program to reverse resolve the network address of -- the server in order to get the hostname. -- -- This is less secure than not trusting DNS. When using this option, -- it's possible that an attacker could get control of DNS and trick the -- client into mounting a different server altogether. It's preferable to -- instead add server principals to the KDC for every possible hostname, -- but this option exists for cases where that isn't possible. The -- default is to not trust reverse hostname lookups in this fashion. -- -- -- --\ **--legacy-uid|-l**\ -- -- Traditionally, the kernel has sent only a single uid= parameter to the -- upcall for the SPNEGO upcall that's used to determine what user's -- credential cache to use. This parameter is affected by the \ **uid=**\ -- mount option, which also governs the ownership of files on the mount. -- -- Newer kernels send a creduid= option as well, which contains what uid -- it thinks actually owns the credentials that it's looking for. At -- mount time, this is generally set to the real uid of the user doing -- the mount. For multisession mounts, it's set to the fsuid of the mount -- user. Set this option if you want cifs.upcall to use the older \ **uid=**\ -- parameter instead of the creduid= parameter. -- -- -- --\ **--version|-v**\ -- -- Print version number and exit. -- -- -- -+-c -+ This option is deprecated and is currently ignored. -+ -+--no-env-probe|-E -+ Normally, ``cifs.upcall`` will probe the environment variable space of -+ the process that initiated the upcall in order to fetch the value of -+ ``$KRB5CCNAME``. This can assist the program with finding credential -+ caches in non-default locations. If this option is set, then the -+ program won't do this and will rely on finding credcaches in the -+ default locations specified in *krb5.conf*. Note that this is never -+ performed when the uid is 0. The default credcache location is always -+ used when the uid is 0, regardless of the environment variable setting -+ in the process. -+ -+--krb5conf|-k=/path/to/krb5.conf -+ This option allows administrators to set an alternate location for the -+ *krb5.conf* file that ``cifs.upcall`` will use. -+ -+--keytab=|-K=/path/to/keytab -+ This option allows administrators to specify a keytab file to be -+ used. When a user has no credential cache already established, -+ ``cifs.upcall`` will attempt to use this keytab to acquire them. The -+ default is the system-wide keytab */etc/krb5.keytab*. -+ -+--trust-dns|-t -+ With krb5 upcalls, the name used as the host portion of the service -+ principal defaults to the hostname portion of the UNC. This option -+ allows the upcall program to reverse resolve the network address of -+ the server in order to get the hostname. -+ -+ This is less secure than not trusting DNS. When using this option, -+ it's possible that an attacker could get control of DNS and trick the -+ client into mounting a different server altogether. It's preferable to -+ instead add server principals to the KDC for every possible hostname, -+ but this option exists for cases where that isn't possible. The -+ default is to not trust reverse hostname lookups in this fashion. -+ -+--legacy-uid|-l -+ Traditionally, the kernel has sent only a single uid= parameter to the -+ upcall for the SPNEGO upcall that's used to determine what user's -+ credential cache to use. This parameter is affected by the uid= -+ mount option, which also governs the ownership of files on the mount. -+ -+ Newer kernels send a creduid= option as well, which contains what uid -+ it thinks actually owns the credentials that it's looking for. At -+ mount time, this is generally set to the real uid of the user doing -+ the mount. For multisession mounts, it's set to the fsuid of the mount -+ user. Set this option if you want cifs.upcall to use the older uid= -+ parameter instead of the creduid= parameter. -+ -+--version|-v -+ Print version number and exit. - - ************************ - CONFIGURATION FOR KEYCTL - ************************ - -- --\ **cifs.upcall**\ is designed to be called from the kernel via the -+``cifs.upcall`` is designed to be called from the kernel via the - request-key callout program. This requires that request-key be told --where and how to call this program. The current \ **cifs.upcall**\ -+where and how to call this program. The current ``cifs.upcall`` - program handles two different key types: - -+cifs.spnego -+ This keytype is for retrieving kerberos session keys -+ -+dns_resolver -+ This key type is for resolving hostnames into IP addresses. Support -+ for this key type may eventually be deprecated (see below). -+ -+ To make this program useful for CIFS, you'll need to set up entries -+ for them in request-key.conf(5). Here's an example of an entry for -+ each key type:: - --\ **cifs.spnego**\ -- -- This keytype is for retrieving kerberos session keys -- -- -- --\ **dns_resolver**\ -- -- This key type is for resolving hostnames into IP addresses. Support -- for this key type may eventually be deprecated (see below). -- -- To make this program useful for CIFS, you'll need to set up entries -- for them in request-key.conf(5). Here's an example of an entry for -- each key type: -- -- -- .. code-block:: perl -- - #OPERATION TYPE D C PROGRAM ARG1 ARG2... - #========= ============= = = ================================ - create cifs.spnego * * @sbindir@/cifs.upcall %k - create dns_resolver * * @sbindir@/cifs.upcall %k -- -- -- See request-key.conf(5) for more info on each field. -- -- The keyutils package has also started including a dns_resolver -- handling program as well that is preferred over the one in -- \ **cifs.upcall.**\ If you are using a keyutils version equal to or -- greater than 1.5, you should use \ ``key.dns_resolver``\ to handle the -- \ ``dns_resolver``\ keytype instead of \ **cifs.upcall**\ . See -- key.dns_resolver(8) for more info. -- - -+ See request-key.conf(5) for more info on each field. - -+ The keyutils package has also started including a dns_resolver -+ handling program as well that is preferred over the one in -+ ``cifs.upcall``. If you are using a keyutils version equal to or -+ greater than 1.5, you should use ``key.dns_resolver`` to handle the -+ ``dns_resolver`` keytype instead of ``cifs.upcall``. See -+ key.dns_resolver(8) for more info. - - ******** - SEE ALSO - ******** - -- - request-key.conf(5), mount.cifs(8), key.dns_resolver(8) - -- - ****** - AUTHOR - ****** - -- - Igor Mammedov wrote the cifs.upcall program. - - Jeff Layton authored this manpage. -@@ -187,4 +140,3 @@ The maintainer of the Linux CIFS VFS is Steve French. - - The Linux CIFS Mailing list is the preferred place to ask questions - regarding these programs. -- -diff --git a/cifscreds.rst b/cifscreds.rst -index 5c2a195..a6676cb 100644 ---- a/cifscreds.rst -+++ b/cifscreds.rst -@@ -5,125 +5,91 @@ cifscreds - ----------------------------------------- - manage NTLM credentials in kernel keyring - ----------------------------------------- -- - :Manual section: 1 - - ******** - SYNOPSIS - ******** - -- --cifscreds add|clear|clearall|update [-u username] [-d] host|domain -- -+ cifscreds add|clear|clearall|update [-u username] [-d] host|domain - - *********** - DESCRIPTION - *********** - -- --The \ **cifscreds**\ program is a tool for managing credentials (username -+The ``cifscreds`` program is a tool for managing credentials (username - and password) for the purpose of establishing sessions in multiuser - mounts. - - When a cifs filesystem is mounted with the "multiuser" option, and does - not use krb5 authentication, it needs to be able to get the credentials --for each user from somewhere. The \ **cifscreds**\ program is the tool used -+for each user from somewhere. The ``cifscreds`` program is the tool used - to provide these credentials to the kernel. - - The first non-option argument to cifscreds is a command (see the --\ **COMMANDS**\ section below). The second non-option argument is a hostname -+`COMMANDS`_ section below). The second non-option argument is a hostname - or address, or an NT domain name. - -- - ******** - COMMANDS - ******** - -+add -+ Add credentials to the kernel to be used for connecting to the given -+ server, or servers in the given domain. - -+clear -+ Clear credentials for a particular host or domain from the kernel. - --\ **add**\ -- -- Add credentials to the kernel to be used for connecting to the given server, or servers in the given domain. -- -- -- --\ **clear**\ -- -- Clear credentials for a particular host or domain from the kernel. -- -- -- --\ **clearall**\ -- -- Clear all cifs credentials from the kernel. -- -- -- --\ **update**\ -- -- Update stored credentials in the kernel with a new username and -- password. -- -- -+clearall -+ Clear all cifs credentials from the kernel. - -+update -+ Update stored credentials in the kernel with a new username and -+ password. - - ******* - OPTIONS - ******* - -+-d, --domain -+ The provided host/domain argument is a NT domainname. - -+ Ordinarily the second argument provided to cifscreds is treated as a -+ hostname or IP address. This option causes the cifscreds program to -+ treat that argument as an NT domainname instead. - --\ **-d**\ , \ **--domain**\ -- -- The provided host/domain argument is a NT domainname. -- -- Ordinarily the second argument provided to cifscreds is treated as a -- hostname or IP address. This option causes the cifscreds program to -- treat that argument as an NT domainname instead. -- -- If there are not host specific credentials for the mounted server, then -- the kernel will next look for a set of domain credentials equivalent to -- the domain= option provided at mount time. -- -- -- --\ **-u**\ , \ **--username**\ -- -- Ordinarily, the username is derived from the unix username of the user -- adding the credentials. This option allows the user to substitute a -- different username. -- -- -+ If there are not host specific credentials for the mounted server, then -+ the kernel will next look for a set of domain credentials equivalent to -+ the domain= option provided at mount time. - -+-u, --username -+ Ordinarily, the username is derived from the unix username of the user -+ adding the credentials. This option allows the user to substitute a -+ different username. - - ***** - NOTES - ***** - -- - The cifscreds utility requires a kernel built with support for the --\ **login**\ key type. That key type was added in v3.3 in mainline Linux -+``login`` key type. That key type was added in v3.3 in mainline Linux - kernels. - --Since \ **cifscreds**\ adds keys to the session keyring, it is highly --recommended that one use \ **pam_keyinit**\ to ensure that a session keyring -+Since ``cifscreds`` adds keys to the session keyring, it is highly -+recommended that one use ``pam_keyinit`` to ensure that a session keyring - is established at login time. - -- - ******** - SEE ALSO - ******** - -- - pam_keyinit(8) - -- - ******* - AUTHORS - ******* - -- - The cifscreds program was originally developed by Igor Druzhinin - . This manpage and a redesign of the code was done - by Jeff Layton . -- -diff --git a/getcifsacl.rst.in b/getcifsacl.rst.in -index 42af258..21a10cd 100644 ---- a/getcifsacl.rst.in -+++ b/getcifsacl.rst.in -@@ -7,80 +7,60 @@ Userspace helper to display an ACL in a security descriptor for Common Internet - -------------------------------------------------------------------------------------------------- - :Manual section: 1 - -- - ******** - SYNOPSIS - ******** - -- --getcifsacl [-v|-r] {file system object} -- -+ getcifsacl [-v|-r] {file system object} - - *********** - DESCRIPTION - *********** - -- - This tool is part of the cifs-utils suite. - --getcifsacl is a userspace helper program for the Linux CIFS client -+``getcifsacl`` is a userspace helper program for the Linux CIFS client - file system. It is intended to display a security descriptor including - ACL for a file system object. - - This program uses a plugin to handle the mapping of SIDs to user and --group names. \ *@pluginpath@*\ should be a symlink that points to the -+group names. *@pluginpath@* should be a symlink that points to the - correct plugin to use. - - Fields of an ACE such as SID, type, flags, and mask are displayed --separated by /. Numeric values of type, flags, and mask are displayed -+separated by /. Numeric values of type, flags, and mask are displayed - in hexadecimal format. - -- - ******* - OPTIONS - ******* - -+-v -+ Print version number and exit. - -- --\ **-v**\ -- -- Print version number and exit. -- -- -- --\ **-r**\ -- -- Display a security descriptor in raw mode. Values such as type and -- flags are displayed in hexadecimal format, a SID is not mapped to a -- name. -- -- -- -+-r -+ Display a security descriptor in raw mode. Values such as type and -+ flags are displayed in hexadecimal format, a SID is not mapped to a -+ name. - - ***** - NOTES - ***** - -- - Kernel support for getcifsacl/setcifsacl utilities was initially - introduced in the 2.6.37 kernel. - -- - ******** - SEE ALSO - ******** - -- - mount.cifs(8), setcifsacl(1) - -- - ****** - AUTHOR - ****** - -- - Shirish Pargaonkar wrote the getcifsacl program. - - The Linux CIFS Mailing list is the preferred place to ask questions - regarding these programs. -- -diff --git a/idmapwb.rst.in b/idmapwb.rst.in -index 4d7fd62..c03e4ca 100644 ---- a/idmapwb.rst.in -+++ b/idmapwb.rst.in -@@ -7,31 +7,28 @@ winbind ID mapping plugin for cifs-utils - ---------------------------------------- - :Manual section: 8 - -- - *********** - DESCRIPTION - *********** - -- - This plugin allows the utilities in cifs-utils to work in conjuction with - the winbind facility of Samba suite. It handles several functions including - mapping UID and GID to SIDs and vice versa. - - Utilities are usually configured to use the correct plugin by creating a --symlink at @pluginpath@ that points to the correct plugin that you wish -+symlink at *@pluginpath@* that points to the correct plugin that you wish - to use. - --This plugin requires that \ **winbindd(8)**\ be properly configured and running. -+This plugin requires that winbindd(8) be properly configured and running. - -- --******************************************************************************* -+******** - SEE ALSO --******************************************************************************* --getcifsacl(1), setcifsacl(1), cifs.idmap(8), samba(7), smb.conf(5), winbindd(8) -- -+******** - -+getcifsacl(1), setcifsacl(1), cifs.idmap(8), samba(7), smb.conf(5), winbindd(8) - --***************************************************************** -+****** - AUTHOR --***************************************************************** -+****** -+ - idmapwb.so was written by Jeff Layton -diff --git a/mount.cifs.rst b/mount.cifs.rst -index a81c6c4..c0f0bdb 100644 ---- a/mount.cifs.rst -+++ b/mount.cifs.rst -@@ -47,7 +47,6 @@ unmounted (usually via the ``umount`` utility). - OPTIONS - ******* - -- - username=arg|user=arg - specifies the username to connect as. If this is not - given, then the environment variable USER is used. -@@ -84,9 +83,9 @@ credentials=filename|cred=filename - password=value - domain=value - -- This is preferred over having passwords in plaintext in a shared file, -- such as ``/etc/fstab`` . Be sure to protect any credentials file -- properly. -+ This is preferred over having passwords in plaintext in a shared file, -+ such as */etc/fstab* . Be sure to protect any credentials file -+ properly. - - uid=arg - sets the uid that will own all files or directories on the mounted -@@ -558,7 +557,7 @@ It's generally preferred to use forward slashes (/) as a delimiter in - service names. They are considered to be the "universal delimiter" - since they are generally not allowed to be embedded within path - components on Windows machines and the client can convert them to --backslashes (\) unconditionally. Conversely, backslash characters are -+backslashes (\\) unconditionally. Conversely, backslash characters are - allowed by POSIX to be part of a path component, and can't be - automatically converted in the same way. - -diff --git a/pam_cifscreds.rst b/pam_cifscreds.rst -index 8e8308c..4e89bfd 100644 ---- a/pam_cifscreds.rst -+++ b/pam_cifscreds.rst -@@ -7,110 +7,83 @@ PAM module to manage NTLM credentials in kernel keyring - ------------------------------------------------------- - :Manual section: 8 - -- - ******** - SYNOPSIS - ******** - -- - Edit the PAM configuration files for the systems that you want to --automatically register NTLM credentials for, e.g. /etc/pam.d/login, --and modify as follows: -- -- --.. code-block:: perl -+automatically register NTLM credentials for, e.g. */etc/pam.d/login*, -+and modify as follows:: - - ... - auth substack system-auth - +++ auth optional pam_cifscreds.so - auth include postlogin - ... -- -+ - ... - session include system-auth - +++ session optional pam_cifscreds.so domain=DOMAIN - session include postlogin - ... - -- - Change DOMAIN to the name of you Windows domain, or use host= as - described below. - -- - *********** - DESCRIPTION - *********** - -- --The \ **pam_cifscreds**\ PAM module is a tool for automatically adding -+The ``pam_cifscreds`` PAM module is a tool for automatically adding - credentials (username and password) for the purpose of establishing - sessions in multiuser mounts. - - When a cifs filesystem is mounted with the "multiuser" option, and does - not use krb5 authentication, it needs to be able to get the credentials --for each user from somewhere. The \ **pam_cifscreds**\ module can be used -+for each user from somewhere. The ``pam_cifscreds`` module can be used - to provide these credentials to the kernel automatically at login. - - In the session section of the PAM configuration file, the module can - either an NT domain name or a list of hostname or addresses. - -- - ******* - OPTIONS - ******* - -+``pam_cifscreds`` supports a couple options which can be set in the PAM -+configuration files. You must have one (and only one) of ``domain=`` or -+``host=``. - --\ **pam_cifscreds**\ supports a couple options which can be set in the PAM --configuration files. You must have one (and only one) of domain= or --host=. -- -- --\ **debug**\ -- -- Turns on some extra debug logging. -- -- -- --\ **domain**\ = -- -- Credentials will be added for the specified NT domain name. -- -- -- --\ **host**\ =[,...] -- -- Credentials will be added for the specified hostnames or IP addresses. -- -+debug -+ Turns on some extra debug logging. - -+domain= -+ Credentials will be added for the specified NT domain name. - -+host=[,...] -+ Credentials will be added for the specified hostnames or IP addresses. - - ***** - NOTES - ***** - -- - The pam_cifscreds PAM module requires a kernel built with support for --the \ **login**\ key type. That key type was added in v3.3 in mainline Linux -+the ``login`` key type. That key type was added in v3.3 in mainline Linux - kernels. - --Since \ **pam_cifscreds**\ adds keys to the session keyring, it is highly --recommended that one use \ **pam_keyinit**\ to ensure that a session keyring -+Since ``pam_cifscreds`` adds keys to the session keyring, it is highly -+recommended that one use ``pam_keyinit`` to ensure that a session keyring - is established at login time. - -- - ******** - SEE ALSO - ******** - -- - cifscreds(1), pam_keyinit(8) - -- - ****** - AUTHOR - ****** - -- - The pam_cifscreds PAM module was developed by Orion Poplawski - . -- -diff --git a/setcifsacl.rst.in b/setcifsacl.rst.in -index ea981e2..de9c758 100644 ---- a/setcifsacl.rst.in -+++ b/setcifsacl.rst.in -@@ -7,179 +7,110 @@ Userspace helper to alter an ACL in a security descriptor for Common Internet Fi - ------------------------------------------------------------------------------------------------ - :Manual section: 1 - -- - ******** - SYNOPSIS - ******** - -- --setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object} -- -+ setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object} - - *********** - DESCRIPTION - *********** - -- - This tool is part of the cifs-utils suite. - --\ **setcifsacl**\ is a userspace helper program for the Linux CIFS client --file system. It is intended to alter an ACL of a security descriptor --for a file system object. Whether a security descriptor to be set is -+``setcifsacl`` is a userspace helper program for the Linux CIFS client -+file system. It is intended to alter an ACL of a security descriptor -+for a file system object. Whether a security descriptor to be set is - applied or not is determined by the CIFS/SMB server. - - This program uses a plugin to handle the mapping of user and group --names to SIDs. ``@pluginpath@`` should be a symlink that points to the -+names to SIDs. *@pluginpath@* should be a symlink that points to the - correct plugin to use. - -- - ******* - OPTIONS - ******* - -+-h -+ Print usage message and exit. - -+-v -+ Print version number and exit. - --\ **-h**\ -- -- Print usage message and exit. -- -- -- --\ **-v**\ -- -- Print version number and exit. -- -+-a -+ Add one or more ACEs to an ACL of a security descriptor. An ACE is -+ added even if the same ACE exists in the ACL. - -+-D -+ Delete one or more ACEs from an ACL of a security descriptor. Entire -+ ACE has to match in an existing ACL for the listed ACEs to be deleted. - --\ **-a**\ -- -- Add one or more ACEs to an ACL of a security descriptor. An ACE is -- added even if the same ACE exists in the ACL. -- -+-M -+ Modify one or more ACEs from an ACL of a security descriptor. SID and -+ type are used to match for existing ACEs to be modified with the list -+ of ACEs specified. - -+-S -+ Set an ACL of security descriptor with the list of ACEs Existing ACL -+ is replaced entirely with the specified ACEs. - --\ **-D**\ -- -- Delete one or more ACEs from an ACL of a security descriptor. Entire -- ACE has to match in an existing ACL for the listed ACEs to be deleted. -- -- -- --\ **-M**\ -- -- Modify one or more ACEs from an ACL of a security descriptor. SID and -- type are used to match for existing ACEs to be modified with the list -- of ACEs specified. -- -- -- --\ **-S**\ -- -- Set an ACL of security descriptor with the list of ACEs Existing ACL -- is replaced entirely with the specified ACEs. -- -- Every ACE entry starts with "ACL:" One or more ACEs are specified -- within double quotes. Multiple ACEs are separated by a comma. -- -- Following fields of an ACE can be modified with possible values: -- -- -- \ **SID**\ - Either a name or a raw SID value. -- -- -- -- \ **type**\ - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6) -- -- -- -- \ **flags**\ - OBJECT_INHERIT_FLAG (OI or 0x1), CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or -- 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or 0x10) -- or a combination/OR of these values. -- -- -- -- \ **mask**\ - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value -- -- -- -+ Every ACE entry starts with "ACL:" One or more ACEs are specified -+ within double quotes. Multiple ACEs are separated by a comma. - -+ Following fields of an ACE can be modified with possible values: - -+ - ``SID`` - Either a name or a raw SID value. -+ - ``type`` - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6) -+ - ``flags`` - OBJECT_INHERIT_FLAG (OI or 0x1), -+ CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI -+ or 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or -+ 0x10) or a combination/OR of these values. -+ - ``mask`` - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value. - - ******** - EXAMPLES - ******** - -- - Add an ACE - ========== - -- -- --.. code-block:: perl -- -- setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" -- setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" -- -- -+ setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" -+ setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" - - Delete an ACE - ============= - -- -- --.. code-block:: perl -- -- setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" -- -- -+ setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" - - Modify an ACE - ============= - -- -- --.. code-block:: perl -- -- setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" -- -- -+ setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" - - Set an ACL - ========== - -- -- --.. code-block:: perl -- -- setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" -- -- -- -+ setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" - - ***** - NOTES - ***** - -- - Kernel support for getcifsacl/setcifsacl utilities was initially - introduced in the 2.6.37 kernel. - -- - ******** - SEE ALSO - ******** - -- - mount.cifs(8), getcifsacl(1) - -- - ****** - AUTHOR - ****** - -- - Shirish Pargaonkar wrote the setcifsacl program. - - The Linux CIFS Mailing list is the preferred place to ask questions - regarding these programs. -- --- -2.13.7 - diff --git a/0002-mount.cifs.rst-document-new-no-handlecache-mount-opt.patch b/0002-mount.cifs.rst-document-new-no-handlecache-mount-opt.patch deleted file mode 100644 index 51f9488..0000000 --- a/0002-mount.cifs.rst-document-new-no-handlecache-mount-opt.patch +++ /dev/null @@ -1,37 +0,0 @@ -From bfcbfaa27a6bcfea3d463e793feff5a983f344a5 Mon Sep 17 00:00:00 2001 -From: Aurelien Aptel -Date: Tue, 15 May 2018 10:40:48 +0200 -Subject: [PATCH 02/10] mount.cifs.rst: document new (no)handlecache mount - option - -Signed-off-by: Aurelien Aptel -Reviewed-by: Steve French -Reviewed-by: Pavel Shilovsky ---- - mount.cifs.rst | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/mount.cifs.rst b/mount.cifs.rst -index c0f0bdb..405c459 100644 ---- a/mount.cifs.rst -+++ b/mount.cifs.rst -@@ -237,6 +237,16 @@ cache=arg - The default in kernels prior to 3.7 was ``loose``. As of kernel 3.7 the - default is ``strict``. - -+handlecache -+ (default) In SMB2 and above, the client often has to open the root -+ of the share (empty path) in various places during mount, path -+ revalidation and the statfs(2) system call. This option cuts -+ redundant round trip traffic (opens and closes) by simply keeping -+ the directory handle for the root around once opened. -+ -+nohandlecache -+ Disable caching of the share root directory handle. -+ - directio - Do not do inode data caching on files opened on this mount. This - precludes mmaping files on this mount. In some cases with fast --- -2.13.7 - diff --git a/0003-manpage-update-mount.cifs-manpage-with-info-about-rd.patch b/0003-manpage-update-mount.cifs-manpage-with-info-about-rd.patch deleted file mode 100644 index fef9496..0000000 --- a/0003-manpage-update-mount.cifs-manpage-with-info-about-rd.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 03a3296c79f8195f94c43a3b4feb09df75d9b90e Mon Sep 17 00:00:00 2001 -From: Kenneth Dsouza -Date: Fri, 13 Jul 2018 23:49:59 +0530 -Subject: [PATCH 03/10] manpage: update mount.cifs manpage with info about rdma - option - -Signed-off-by: Kenneth Dsouza ---- - mount.cifs.rst | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/mount.cifs.rst b/mount.cifs.rst -index 405c459..56c1bf9 100644 ---- a/mount.cifs.rst -+++ b/mount.cifs.rst -@@ -403,6 +403,11 @@ echo_interval=n - If this option is not given then the default value of 60 seconds is used. - The minimum tunable value is 1 second and maximum can go up to 600 seconds. - -+rdma -+ Use to connect to SMB Direct, only applicable when specified with -+ vers=3 or vers=3.x. -+ Here 3.x can be 3.0, 3.02 or 3.1.1. -+ - serverino - Use inode numbers (unique persistent file identifiers) returned by the - server instead of automatically generating temporary inode numbers on --- -2.13.7 - diff --git a/0004-checkopts-add-python-script-to-cross-check-mount-opt.patch b/0004-checkopts-add-python-script-to-cross-check-mount-opt.patch deleted file mode 100644 index 3bbe7f2..0000000 --- a/0004-checkopts-add-python-script-to-cross-check-mount-opt.patch +++ /dev/null @@ -1,261 +0,0 @@ -From 97209a56d13b8736579a58cccf00d2da4e4a0e5a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Aur=C3=A9lien=20Aptel?= -Date: Tue, 10 Jul 2018 17:50:42 +0200 -Subject: [PATCH 04/10] checkopts: add python script to cross check mount - options - -Signed-off-by: Aurelien Aptel ---- - checkopts | 240 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 240 insertions(+) - create mode 100755 checkopts - -diff --git a/checkopts b/checkopts -new file mode 100755 -index 0000000..26ca271 ---- /dev/null -+++ b/checkopts -@@ -0,0 +1,240 @@ -+#!/usr/bin/env python3 -+# -+# Script to check for inconsistencies between documented mount options -+# and implemented kernel options. -+# Copyright (C) 2018 Aurelien Aptel (aaptel@suse.com) -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+ -+import os -+import sys -+import re -+import subprocess -+import argparse -+from pprint import pprint as P -+ -+def extract_canonical_opts(s): -+ """ -+ Return list of option names present in s. -+ e.g "opt1=a|opt2=d" => ["opt1", "opt2"]) -+ """ -+ opts = s.split("|") -+ res = [] -+ for o in opts: -+ x = o.split("=") -+ res.append(x[0]) -+ return res -+ -+def extract_kernel_opts(fn): -+ STATE_BASE = 0 -+ STATE_DEF = 1 -+ STATE_USE = 2 -+ STATE_EXIT = 3 -+ -+ state = STATE_BASE -+ fmt2enum = {} -+ enum2code = {} -+ code = '' -+ current_opt = '' -+ rx = RX() -+ -+ def code_add(s): -+ if current_opt != '': -+ if current_opt not in enum2code: -+ enum2code[current_opt] = '' -+ enum2code[current_opt] += s -+ -+ with open(fn) as f: -+ for s in f.readlines(): -+ if state == STATE_EXIT: -+ break -+ -+ elif state == STATE_BASE: -+ if rx.search(r'cifs_mount_option_tokens.*\{', s): -+ state = STATE_DEF -+ elif rx.search(r'^cifs_parse_mount_options', s): -+ state = STATE_USE -+ -+ elif state == STATE_DEF: -+ if rx.search(r'(Opt_[a-zA-Z0-9_]+)\s*,\s*"([^"]+)"', s): -+ fmt = rx.group(2) -+ opts = extract_canonical_opts(fmt) -+ assert(len(opts) == 1) -+ name = opts[0] -+ fmt2enum[name] = {'enum':rx.group(1), 'fmt':fmt} -+ elif rx.search(r'^};', s): -+ state = STATE_BASE -+ -+ elif state == STATE_USE: -+ if rx.search(r'^\s*case (Opt_[a-zA-Z0-9_]+)', s): -+ current_opt = rx.group(1) -+ elif current_opt != '' and rx.search(r'^\s*default:', s): -+ state = STATE_EXIT -+ else: -+ code_add(s) -+ return fmt2enum, enum2code -+ -+def chomp(s): -+ if s[-1] == '\n': -+ return s[:-1] -+ return s -+ -+def extract_man_opts(fn): -+ STATE_EXIT = 0 -+ STATE_BASE = 1 -+ STATE_OPT = 2 -+ -+ state = STATE_BASE -+ rx = RX() -+ opts = {} -+ -+ with open(fn) as f: -+ for s in f.readlines(): -+ if state == STATE_EXIT: -+ break -+ -+ elif state == STATE_BASE: -+ if rx.search(r'^OPTION', s): -+ state = STATE_OPT -+ -+ elif state == STATE_OPT: -+ if rx.search('^[a-z]', s) and len(s) < 50: -+ s = chomp(s) -+ names = extract_canonical_opts(s) -+ for name in names: -+ opts[name] = s -+ elif rx.search(r'^[A-Z]+', s): -+ state = STATE_EXIT -+ return opts -+ -+def format_code(s): -+ # remove common indent in the block -+ min_indent = None -+ for ln in s.split("\n"): -+ indent = 0 -+ for c in ln: -+ if c == '\t': indent += 1 -+ else: break -+ if min_indent is None: -+ min_indent = indent -+ elif indent > 0: -+ min_indent = min(indent, min_indent) -+ out = '' -+ lines = s.split("\n") -+ if lines[-1].strip() == '': -+ lines.pop() -+ for ln in lines: -+ out += "| %s\n" % ln[min_indent:] -+ return out -+ -+def sortedset(s): -+ return sorted(list(s), key=lambda x: re.sub('^no', '', x)) -+ -+def opt_neg(opt): -+ if opt.startswith("no"): -+ return opt[2:] -+ else: -+ return "no"+opt -+ -+def main(): -+ ap = argparse.ArgumentParser(description="Cross-check mount options from cifs.ko/man page") -+ ap.add_argument("cfile", help="path to connect.c") -+ ap.add_argument("rstfile", help="path to mount.cifs.rst") -+ args = ap.parse_args() -+ -+ fmt2enum, enum2code = extract_kernel_opts(args.cfile) -+ manopts = extract_man_opts(args.rstfile) -+ -+ kernel_opts_set = set(fmt2enum.keys()) -+ man_opts_set = set(manopts.keys()) -+ -+ def opt_alias_is_doc(o): -+ enum = fmt2enum[o]['enum'] -+ aliases = [] -+ for k,v in fmt2enum.items(): -+ if k != o and v['enum'] == enum: -+ if opt_is_doc(k): -+ return k -+ return None -+ -+ def opt_exists(o): -+ return o in fmt2enum -+ -+ def opt_is_doc(o): -+ return o in manopts -+ -+ -+ print('UNDOCUMENTED OPTIONS') -+ print('====================') -+ -+ undoc_opts = kernel_opts_set - man_opts_set -+ # group opts and their negations together -+ for opt in sortedset(undoc_opts): -+ fmt = fmt2enum[opt]['fmt'] -+ enum = fmt2enum[opt]['enum'] -+ code = format_code(enum2code[enum]) -+ neg = opt_neg(opt) -+ -+ if enum == 'Opt_ignore': -+ print("# skipping %s (Opt_ignore)\n"%opt) -+ continue -+ -+ if opt_exists(neg) and opt_is_doc(neg): -+ print("# skipping %s (%s is documented)\n"%(opt, neg)) -+ continue -+ -+ alias = opt_alias_is_doc(opt) -+ if alias: -+ print("# skipping %s (alias %s is documented)\n"%(opt, alias)) -+ continue -+ -+ print('OPTION %s ("%s" -> %s):\n%s'%(opt, fmt, enum, code)) -+ -+ print('') -+ print('DOCUMENTED BUT NON-EXISTING OPTIONS') -+ print('===================================') -+ -+ unex_opts = man_opts_set - kernel_opts_set -+ # group opts and their negations together -+ for opt in sortedset(unex_opts): -+ fmt = manopts[opt] -+ print('OPTION %s ("%s")' % (opt, fmt)) -+ -+ -+ print('') -+ print('NEGATIVE OPTIONS WITHOUT POSITIVE') -+ print('=================================') -+ -+ for opt in sortedset(kernel_opts_set): -+ if not opt.startswith('no'): -+ continue -+ -+ neg = opt[2:] -+ if not opt_exists(neg): -+ print("OPTION %s exists but not %s"%(opt,neg)) -+ -+# little helper to test AND store result at the same time so you can -+# do if/elsif easily instead of nesting them when you need to do -+# captures -+class RX: -+ def __init__(self): -+ pass -+ def search(self, rx, s, flags=0): -+ self.r = re.search(rx, s, flags) -+ return self.r -+ def group(self, n): -+ return self.r.group(n) -+ -+if __name__ == '__main__': -+ main() --- -2.13.7 - diff --git a/0005-mount.cifs.rst-document-missing-options-correct-wron.patch b/0005-mount.cifs.rst-document-missing-options-correct-wron.patch deleted file mode 100644 index 44a713d..0000000 --- a/0005-mount.cifs.rst-document-missing-options-correct-wron.patch +++ /dev/null @@ -1,219 +0,0 @@ -From 7325a01abc529d68756bae90cf23233392626939 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Aur=C3=A9lien=20Aptel?= -Date: Tue, 10 Jul 2018 17:50:43 +0200 -Subject: [PATCH 05/10] mount.cifs.rst: document missing options, correct wrong - ones - -Signed-off-by: Aurelien Aptel ---- - mount.cifs.rst | 111 ++++++++++++++++++++++++++++++++++++++++----------------- - 1 file changed, 79 insertions(+), 32 deletions(-) - -diff --git a/mount.cifs.rst b/mount.cifs.rst -index 56c1bf9..13b3a1e 100644 ---- a/mount.cifs.rst -+++ b/mount.cifs.rst -@@ -123,6 +123,11 @@ forcegid - of the gid= option. See the section on `FILE AND DIRECTORY OWNERSHIP - AND PERMISSIONS`_ below for more information. - -+idsfromsid -+ Extract uid/gid from special SID instead of mapping it. See the -+ section on `FILE AND DIRECTORY OWNERSHIP AND PERMISSIONS`_ below for -+ more information. -+ - port=arg - sets the port number on which the client will attempt to contact the - CIFS server. If this value is specified, look for an existing -@@ -133,8 +138,9 @@ port=arg - try to connect on port 445 first and then port 139 if that - fails. Return an error if both fail. - --servernetbiosname=arg -- Specify the server netbios name (RFC1001 name) to use when attempting -+ -+netbiosname=arg -+ Specify the client netbios name (RFC1001 name) to use when attempting - to setup a session to the server. Although rarely needed for mounting - to newer servers, this option is needed for mounting to some older - servers (such as OS/2 or Windows 98 and Windows ME) since when -@@ -143,7 +149,8 @@ servernetbiosname=arg - characters long and is usually uppercased. - - servern=arg -- Synonym for ``servernetbiosname`` -+ Similarl to ``netbiosname`` except it specifies the netbios name of -+ the server instead of the client. - - netbiosname=arg - When mounting to servers via port 139, specifies the RFC1001 source -@@ -166,6 +173,10 @@ ip=arg|addr=arg - domain=arg|dom=arg|workgroup=arg - sets the domain (workgroup) of the user. - -+domainauto -+ When using NTLMv2 authentification and not providing a domain via -+ ``domain``, guess the domain from the server NTLM challenge. -+ - guest - don't prompt for a password. - -@@ -237,6 +248,9 @@ cache=arg - The default in kernels prior to 3.7 was ``loose``. As of kernel 3.7 the - default is ``strict``. - -+nostrictsync -+ Do not flush to the server on fsync(). -+ - handlecache - (default) In SMB2 and above, the client often has to open the root - of the share (empty path) in various places during mount, path -@@ -247,32 +261,6 @@ handlecache - nohandlecache - Disable caching of the share root directory handle. - --directio -- Do not do inode data caching on files opened on this mount. This -- precludes mmaping files on this mount. In some cases with fast -- networks and little or no caching benefits on the client (e.g. when -- the application is doing large sequential reads bigger than page size -- without rereading the same data) this can provide better performance -- than the default behavior which caches reads (readahead) and writes -- (writebehind) through the local Linux client pagecache if oplock -- (caching token) is granted and held. Note that direct allows write -- operations larger than page size to be sent to the server. On some -- kernels this requires the cifs.ko module to be built with the -- ``CIFS_EXPERIMENTAL`` configure option. -- -- This option is will be deprecated in 3.7. Users should use -- ``cache=none`` instead on more recent kernels. -- --strictcache -- Use for switching on strict cache mode. In this mode the client reads -- from the cache all the time it has *Oplock Level II* , otherwise - -- read from the server. As for write - the client stores a data in the -- cache in *Exclusive Oplock* case, otherwise - write directly to the -- server. -- -- This option is will be deprecated in 3.7. Users should use -- ``cache=strict`` instead on more recent kernels. -- - rwpidforward - Forward pid of a process who opened a file to any read or write - operation on that file. This prevent applications like wine(1) from -@@ -283,7 +271,7 @@ mapchars - including the colon, question mark, pipe, asterik, greater than and - less than characters) to the remap range (above 0xF000), which also - allows the CIFS client to recognize files created with such characters -- by Windows's POSIX emulation. This can also be useful when mounting to -+ by Windows's Services for Mac. This can also be useful when mounting to - most versions of Samba (which also forbids creating and opening files - whose names contain any of these seven characters). This has no effect - if the server does not support Unicode on the wire. Please note that -@@ -293,6 +281,10 @@ mapchars - nomapchars - (default) Do not translate any of these seven characters. - -+mapposix -+ Translate reserved characters similarly to ``mapchars`` but use the -+ mapping from Microsoft "Services For Unix". -+ - intr - currently unimplemented. - -@@ -370,12 +362,42 @@ seal - Request encryption at the SMB layer. Encryption is only supported in - SMBv3 and above. The encryption algorithm used is AES-128-CCM. - -+rdma -+ Connect directly to the server using SMB Direct via a RDMA adapter. -+ -+resilienthandles -+ Enable resilient handles. If the server supports it, keep opened -+ files across reconenctions. Requires SMB2.1. -+ -+noresilienthandles -+ (default) Disable resilient handles. -+ -+persistenthandles -+ Enable persistent handles. If the server supports it, keep opened -+ files across reconnections. Persistent handles are also valid across -+ servers in a cluser and have stronger guarantees than resilient -+ handles. Requires SMB3 or above. -+ -+nopersistenthandles -+ (default) Disable persistent handles. -+ -+snapshot=time -+ Mount a specific snapshot of the remote share. ``time`` must be a -+ positive integer identifying the snapshot requested. -+ - nobrl - Do not send byte range lock requests to the server. This is necessary - for certain applications that break with cifs style mandatory byte - range locks (and most cifs servers do not yet support requesting - advisory byte range locks). - -+forcemandatorylock -+ Do not use POSIX locks even when available via unix -+ extensions. Always use cifs style mandatory locks. -+ -+locallease -+ Check cache leases locally instead of querying the server. -+ - sfu - When the CIFS Unix Extensions are not negotiated, attempt to create - device files and fifos in a format compatible with Services for Unix -@@ -431,8 +453,12 @@ noserverino - - See section `INODE NUMBERS`_ for more information. - --nounix -- Disable the CIFS Unix Extensions for this mount. This can be useful in -+unix|linux -+ (default) Enable Unix Extensions for this mount. Requires CIFS -+ (vers=1.0) or SMB3.1.1 (vers=3.1.1) and a server supporting them. -+ -+nounix|nolinux -+ Disable the Unix Extensions for this mount. This can be useful in - order to turn off multiple settings at once. This includes POSIX acls, - POSIX locks, POSIX paths, symlink support and retrieving - uids/gids/mode from the server. This can also be useful to work around -@@ -444,6 +470,23 @@ nouser_xattr - Do not allow getfattr/setfattr to get/set xattrs, even if server would - support it otherwise. The default is for xattr support to be enabled. - -+nodfs -+ Do not follow Distributed FileSystem referals. IO on a file not -+ stored on the server will fail instead of connecting to the target -+ server transparently. -+ -+noautotune -+ Use fixed size for kernel recv/send socket buffers. -+ -+nosharesock -+ Do not try to reuse sockets if the system is already connected to -+ the server via an existing mount point. This will make the client -+ always make a new connection to the server no matter what he is -+ already connected to. -+ -+noblocksend -+ Send data on the socket using non blocking operations (MSG_DONTWAIT flag). -+ - rsize=bytes - Maximum amount of data that the kernel will request in a read request - in bytes. Prior to kernel 3.2.0, the default was 16k, and the maximum -@@ -472,6 +515,10 @@ wsize=bytes - this value isn't specified or it's greater or equal than the existing - one. - -+max_credits=n -+ Maximum credits the SMB2 client can have. Default is 32000. Must be -+ set to a number between 20 and 60000. -+ - fsc - Enable local disk caching using FS-Cache for CIFS. This option could - be useful to improve performance on a slow link, heavily loaded server --- -2.13.7 - diff --git a/0006-cifs-utils-support-rst2man-3.patch b/0006-cifs-utils-support-rst2man-3.patch deleted file mode 100644 index 400e157..0000000 --- a/0006-cifs-utils-support-rst2man-3.patch +++ /dev/null @@ -1,50 +0,0 @@ -From a389756f51916995d27819ea1807ab03f36d8dd7 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 17 Jul 2018 13:12:44 +0300 -Subject: [PATCH 06/10] cifs-utils: support rst2man-3 - -Python3 version of rst2man is called rst2man-3 - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Aurelien Aptel ---- - Makefile.am | 2 +- - configure.ac | 6 +++--- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 30658e3..f37c9ae 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -16,7 +16,7 @@ man_MANS= - - SUFFIXES = .rst .1 .8 - --RST2MAN = rst2man --syntax-highlight=none $< $@ -+RST2MAN = $(have_rst2man) --syntax-highlight=none $< $@ - - .rst.1: - $(RST2MAN) -diff --git a/configure.ac b/configure.ac -index b0bc2b9..8e3d6ce 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -252,12 +252,12 @@ fi - - # if docs are not disabled, check if rst2man is available - if test $enable_man != "no"; then -- AC_CHECK_PROG(have_rst2man, rst2man, yes, no) -+ AC_CHECK_PROGS(have_rst2man, rst2man-3.6 rst2man-3.4 rst2man-3 rst2man, no) - if test $have_rst2man = "no"; then - if test $enable_man = "yes"; then -- AC_MSG_ERROR([rst2man not found: cannot generate man pages, consider installing perl.]) -+ AC_MSG_ERROR([rst2man not found: cannot generate man pages, consider installing python{2,3}-docutils.]) - else -- AC_MSG_WARN([rst2man not found: cannot generate man pages, consider installing perl. Disabling man page generation.]) -+ AC_MSG_WARN([rst2man not found: cannot generate man pages, consider installing python{2,3}-docutils. Disabling man page generation.]) - enable_man="no" - fi - else --- -2.13.7 - diff --git a/0007-checkopts-report-duplicated-options-in-man-page.patch b/0007-checkopts-report-duplicated-options-in-man-page.patch deleted file mode 100644 index 668bb56..0000000 --- a/0007-checkopts-report-duplicated-options-in-man-page.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 77b028c11fee787d1235a08fd06c8b60d20eb9c0 Mon Sep 17 00:00:00 2001 -From: Aurelien Aptel -Date: Wed, 8 Aug 2018 11:38:15 +0200 -Subject: [PATCH 07/10] checkopts: report duplicated options in man page - -Signed-off-by: Aurelien Aptel ---- - checkopts | 19 ++++++++++++++++--- - 1 file changed, 16 insertions(+), 3 deletions(-) - -diff --git a/checkopts b/checkopts -index 26ca271..88e70b1 100755 ---- a/checkopts -+++ b/checkopts -@@ -98,9 +98,12 @@ def extract_man_opts(fn): - state = STATE_BASE - rx = RX() - opts = {} -+ ln = 0 - - with open(fn) as f: - for s in f.readlines(): -+ ln += 1 -+ - if state == STATE_EXIT: - break - -@@ -113,7 +116,9 @@ def extract_man_opts(fn): - s = chomp(s) - names = extract_canonical_opts(s) - for name in names: -- opts[name] = s -+ if name not in opts: -+ opts[name] = [] -+ opts[name].append({'ln':ln, 'fmt':s}) - elif rx.search(r'^[A-Z]+', s): - state = STATE_EXIT - return opts -@@ -174,6 +179,14 @@ def main(): - def opt_is_doc(o): - return o in manopts - -+ print('DUPLICATED DOC OPTIONS') -+ print('======================') -+ -+ for opt in sortedset(man_opts_set): -+ if len(manopts[opt]) > 1: -+ lines = ", ".join([str(x['ln']) for x in manopts[opt]]) -+ print("OPTION %-20.20s (lines %s)"%(opt, lines)) -+ print() - - print('UNDOCUMENTED OPTIONS') - print('====================') -@@ -208,8 +221,8 @@ def main(): - unex_opts = man_opts_set - kernel_opts_set - # group opts and their negations together - for opt in sortedset(unex_opts): -- fmt = manopts[opt] -- print('OPTION %s ("%s")' % (opt, fmt)) -+ man = manopts[opt][0] -+ print('OPTION %s ("%s") line %d' % (opt, man['fmt'], man['ln'])) - - - print('') --- -2.13.7 - diff --git a/0008-mount.cifs.rst-more-cleanups.patch b/0008-mount.cifs.rst-more-cleanups.patch deleted file mode 100644 index 9f80bae..0000000 --- a/0008-mount.cifs.rst-more-cleanups.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 06503ef4490a3dde4e8297cf1c5cb336ba43aafa Mon Sep 17 00:00:00 2001 -From: Aurelien Aptel -Date: Wed, 8 Aug 2018 11:38:16 +0200 -Subject: [PATCH 08/10] mount.cifs.rst: more cleanups - -* remove duplicates (netbiosname, rdma) -* remove snapshot -* document nostrictsync, domain, domainauto better -* point to vers= when talking about version requirements -* typos - -Signed-off-by: Aurelien Aptel ---- - mount.cifs.rst | 61 ++++++++++++++++++++++++++++------------------------------ - 1 file changed, 29 insertions(+), 32 deletions(-) - -diff --git a/mount.cifs.rst b/mount.cifs.rst -index 13b3a1e..3504477 100644 ---- a/mount.cifs.rst -+++ b/mount.cifs.rst -@@ -138,25 +138,20 @@ port=arg - try to connect on port 445 first and then port 139 if that - fails. Return an error if both fail. - -- - netbiosname=arg -- Specify the client netbios name (RFC1001 name) to use when attempting -- to setup a session to the server. Although rarely needed for mounting -+ When mounting to servers via port 139, specifies the RFC1001 source -+ name to use to represent the client netbios machine during the netbios -+ session initialization. -+ -+servern=arg -+ Similar to ``netbiosname`` except it specifies the netbios name of -+ the server instead of the client. Although rarely needed for mounting - to newer servers, this option is needed for mounting to some older - servers (such as OS/2 or Windows 98 and Windows ME) since when - connecting over port 139 they, unlike most newer servers, do not - support a default server name. A server name can be up to 15 - characters long and is usually uppercased. - --servern=arg -- Similarl to ``netbiosname`` except it specifies the netbios name of -- the server instead of the client. -- --netbiosname=arg -- When mounting to servers via port 139, specifies the RFC1001 source -- name to use to represent the client netbios machine name when doing -- the RFC1001 netbios session initialize. -- - file_mode=arg - If the server does not support the CIFS Unix extensions this overrides - the default file mode. -@@ -171,11 +166,14 @@ ip=arg|addr=arg - rarely needs to be specified by the user. - - domain=arg|dom=arg|workgroup=arg -- sets the domain (workgroup) of the user. -+ Sets the domain (workgroup) of the user. If no domains are given, -+ the empty domain will be used. Use ``domainauto`` to automatically -+ guess the domain of the server you are connecting to. - - domainauto -- When using NTLMv2 authentification and not providing a domain via -+ When using NTLM authentication and not providing a domain via - ``domain``, guess the domain from the server NTLM challenge. -+ This behavior used to be the default on kernels older than 2.6.36. - - guest - don't prompt for a password. -@@ -249,7 +247,14 @@ cache=arg - default is ``strict``. - - nostrictsync -- Do not flush to the server on fsync(). -+ Do not ask the server to flush on fsync(). -+ Some servers perform non-buffered writes by default in which case -+ flushing is redundant. In workloads where a client is performing a -+ lot of small write + fsync combinations and where network latency is -+ much higher than the server latency, this brings a 2x performance -+ improvement. -+ This option is also a good candidate in scenarios where we want -+ performance over consistency. - - handlecache - (default) In SMB2 and above, the client often has to open the root -@@ -359,15 +364,16 @@ sec=arg - automatically if it's enabled in */proc/fs/cifs/SecurityFlags*. - - seal -- Request encryption at the SMB layer. Encryption is only supported in -- SMBv3 and above. The encryption algorithm used is AES-128-CCM. -+ Request encryption at the SMB layer. The encryption algorithm used -+ is AES-128-CCM. Requires SMB3 or above (see ``vers``). - - rdma -- Connect directly to the server using SMB Direct via a RDMA adapter. -+ Connect directly to the server using SMB Direct via a RDMA -+ adapter. Requires SMB3 or above (see ``vers``). - - resilienthandles - Enable resilient handles. If the server supports it, keep opened -- files across reconenctions. Requires SMB2.1. -+ files across reconnections. Requires SMB2.1 (see ``vers``). - - noresilienthandles - (default) Disable resilient handles. -@@ -375,16 +381,12 @@ noresilienthandles - persistenthandles - Enable persistent handles. If the server supports it, keep opened - files across reconnections. Persistent handles are also valid across -- servers in a cluser and have stronger guarantees than resilient -- handles. Requires SMB3 or above. -+ servers in a cluster and have stronger guarantees than resilient -+ handles. Requires SMB3 or above (see ``vers``). - - nopersistenthandles - (default) Disable persistent handles. - --snapshot=time -- Mount a specific snapshot of the remote share. ``time`` must be a -- positive integer identifying the snapshot requested. -- - nobrl - Do not send byte range lock requests to the server. This is necessary - for certain applications that break with cifs style mandatory byte -@@ -396,7 +398,7 @@ forcemandatorylock - extensions. Always use cifs style mandatory locks. - - locallease -- Check cache leases locally instead of querying the server. -+ Check cached leases locally instead of querying the server. - - sfu - When the CIFS Unix Extensions are not negotiated, attempt to create -@@ -425,11 +427,6 @@ echo_interval=n - If this option is not given then the default value of 60 seconds is used. - The minimum tunable value is 1 second and maximum can go up to 600 seconds. - --rdma -- Use to connect to SMB Direct, only applicable when specified with -- vers=3 or vers=3.x. -- Here 3.x can be 3.0, 3.02 or 3.1.1. -- - serverino - Use inode numbers (unique persistent file identifiers) returned by the - server instead of automatically generating temporary inode numbers on -@@ -471,7 +468,7 @@ nouser_xattr - support it otherwise. The default is for xattr support to be enabled. - - nodfs -- Do not follow Distributed FileSystem referals. IO on a file not -+ Do not follow Distributed FileSystem referrals. IO on a file not - stored on the server will fail instead of connecting to the target - server transparently. - --- -2.13.7 - diff --git a/0009-mount.cifs.rst-document-vers-3-mount-option.patch b/0009-mount.cifs.rst-document-vers-3-mount-option.patch deleted file mode 100644 index 2cee173..0000000 --- a/0009-mount.cifs.rst-document-vers-3-mount-option.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 439cd76f72a2dd3c65fd7d30ece460cde6b9675d Mon Sep 17 00:00:00 2001 -From: Pavel Shilovsky -Date: Fri, 17 Aug 2018 11:08:58 -0700 -Subject: [PATCH 09/10] mount.cifs.rst: document vers=3 mount option - -Signed-off-by: Pavel Shilovsky ---- - mount.cifs.rst | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/mount.cifs.rst b/mount.cifs.rst -index 3504477..6587e16 100644 ---- a/mount.cifs.rst -+++ b/mount.cifs.rst -@@ -592,6 +592,7 @@ vers=arg - - 2.1 - The SMBv2.1 protocol that was introduced in Microsoft Windows 7 and Windows Server 2008R2. - - 3.0 - The SMBv3.0 protocol that was introduced in Microsoft Windows 8 and Windows Server 2012. - - 3.1.1 or 3.11 - The SMBv3.1.1 protocol that was introduced in Microsoft Windows Server 2016. -+ - 3 - The SMBv3.0 protocol version and above. - - Note too that while this option governs the protocol version used, not - all features of each version are available. --- -2.13.7 - diff --git a/0010-mount.cifs.rst-document-vers-3.02-mount-option.patch b/0010-mount.cifs.rst-document-vers-3.02-mount-option.patch deleted file mode 100644 index e433bd8..0000000 --- a/0010-mount.cifs.rst-document-vers-3.02-mount-option.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 3c7e8c3663f50c2d2df6158cc4d22c4fccdc8ae8 Mon Sep 17 00:00:00 2001 -From: Pavel Shilovsky -Date: Fri, 17 Aug 2018 11:13:45 -0700 -Subject: [PATCH 10/10] mount.cifs.rst: document vers=3.02 mount option - -Signed-off-by: Pavel Shilovsky ---- - mount.cifs.rst | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/mount.cifs.rst b/mount.cifs.rst -index 6587e16..a0faf7f 100644 ---- a/mount.cifs.rst -+++ b/mount.cifs.rst -@@ -591,6 +591,7 @@ vers=arg - different dialect (2.000) that is not supported. - - 2.1 - The SMBv2.1 protocol that was introduced in Microsoft Windows 7 and Windows Server 2008R2. - - 3.0 - The SMBv3.0 protocol that was introduced in Microsoft Windows 8 and Windows Server 2012. -+ - 3.02 - The SMBv3.0.2 protocol that was introduced in Microsoft Windows 8.1 and Windows Server 2012R2. - - 3.1.1 or 3.11 - The SMBv3.1.1 protocol that was introduced in Microsoft Windows Server 2016. - - 3 - The SMBv3.0 protocol version and above. - --- -2.13.7 - diff --git a/allow-dns-resolver-key-to-expire.patch b/allow-dns-resolver-key-to-expire.patch deleted file mode 100644 index 1f4b00b..0000000 --- a/allow-dns-resolver-key-to-expire.patch +++ /dev/null @@ -1,268 +0,0 @@ -From paulo@paulo.ac Wed Feb 13 18:09:41 2019 -Return-path: -Received: from prv1-mx.provo.novell.com (novprvlin0515.provo.novell.com [130.57.1.105]) - by prv-mh.provo.novell.com with ESMTP (NOT encrypted); Wed, 13 Feb 2019 11:09:56 -0700 -Received: from vger.kernel.org (209.132.180.67) by prv1-mx.provo.novell.com (130.57.1.11) GWAVA SMTP; Wed, 13 Feb 2019 11:09:57 -0700 -X-Spam_ID: str=0001.0A020211.5C645D75.005D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 -X-GWAVADAT: zFPcY7v2brlPt6Q2e5327cab1501d80247f45f4235d8ab62d9cebc212966054348ffdffbdcecc4b317boib3.17boib3.v6 -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1729522AbfBMSJ4 (ORCPT + 3 others); - Wed, 13 Feb 2019 13:09:56 -0500 -Received: from mail.paulo.ac ([18.228.144.36]:36484 "EHLO mail.paulo.ac" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1727937AbfBMSJz (ORCPT ); - Wed, 13 Feb 2019 13:09:55 -0500 -Received: from localhost (localhost [127.0.0.1]) - by mail.paulo.ac (Postfix) with ESMTP id 908B04823B16; - Wed, 13 Feb 2019 18:09:52 +0000 (UTC) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=paulo.ac; s=default; - t=1550081392; bh=NPHMWzhC+dOx1uqYM9k6+umJOPTfdQQb4DDuwxCPykY=; - h=From:To:Cc:Subject:Date; - b=T/4Gj7VIMqZKmdsNgp0GA1d/4g7rZD8wHngdPprFv5GJ3kwcM0HAiFs9IY7sqln2m - +zAQ9B5qbEoeJif9o/LeR7ED+kqAZyn+uGitgiE7DcMJ5wzvGIDZyl/KAGQn/35Auf - BNdDIwgVMyv0Iba6DiPlLSIXP9QBxBlXHGDD90fE= -Received: from mail.paulo.ac ([127.0.0.1]) - by localhost (ip-172-31-5-70.sa-east-1.compute.internal [127.0.0.1]) (amavisd-new, port 10024) - with ESMTP id ztemnOMlOHdf; Wed, 13 Feb 2019 18:09:51 +0000 (UTC) -Received: from localhost.localdomain (unknown [186.215.53.127]) - (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) - (No client certificate requested) - by mail.paulo.ac (Postfix) with ESMTPSA id CAFF84822E3F; - Wed, 13 Feb 2019 18:09:50 +0000 (UTC) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=paulo.ac; s=default; - t=1550081391; bh=NPHMWzhC+dOx1uqYM9k6+umJOPTfdQQb4DDuwxCPykY=; - h=From:To:Cc:Subject:Date; - b=iyVAaOItT0Qa5SuPc9LRAoN1qb8VHw5hZNzhOF6NOB178UgZYt2Tt9pzR9/0UbhUF - GeJP0gK64HWvGmbDz8zRhrVgnZpGgAXfaPa20AuGm3WlrtZpb3Z2s/krSAI2I1tQfx - 82wY8IeZOD9F+709ZZlwlkGHMWiDLaiRH7xTJWIU= -From: Paulo Alcantara -To: linux-cifs@vger.kernel.org -Cc: smfrench@gmail.com, aaptel@suse.com, piastryyy@gmail.com, - Paulo Alcantara , - Paulo Alcantara -Subject: [PATCH] cifs: Allow DNS resolver key to expire -Date: Wed, 13 Feb 2019 16:09:41 -0200 -Message-Id: <20190213180941.2587-1-paulo@paulo.ac> -X-Mailer: git-send-email 2.20.1 -MIME-Version: 1.0 -Content-Transfer-Encoding: 8bit -Sender: linux-cifs-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-cifs@vger.kernel.org - -This patch introduces a new '--expire' option that allows the user to -set a timeout value for the dns resolver key -- which is typically -useful for hostnames that may get their ip addresses changed under -long running mounts. - -The default timeout value is set to 10 minutes. - -Signed-off-by: Paulo Alcantara ---- - cifs.upcall.c | 88 +++++++++++++++++++++++++++++++++------------- - cifs.upcall.rst.in | 5 ++- - 2 files changed, 67 insertions(+), 26 deletions(-) - -diff --git a/cifs.upcall.c b/cifs.upcall.c -index 89563fd42adc..c92ee62f6764 100644 ---- a/cifs.upcall.c -+++ b/cifs.upcall.c -@@ -63,6 +63,8 @@ - static krb5_context context; - static const char *prog = "cifs.upcall"; - -+#define DNS_RESOLVER_DEFAULT_TIMEOUT 600 /* 10 minutes */ -+ - typedef enum _sectype { - NONE = 0, - KRB5, -@@ -749,19 +751,48 @@ decode_key_description(const char *desc, struct decoded_args *arg) - return retval; - } - --static int cifs_resolver(const key_serial_t key, const char *key_descr) -+static int setup_key(const key_serial_t key, const void *data, size_t datalen) -+{ -+ int rc; -+ -+ rc = keyctl_instantiate(key, data, datalen, 0); -+ if (rc) { -+ switch (errno) { -+ case ENOMEM: -+ case EDQUOT: -+ rc = keyctl_clear(key); -+ if (rc) { -+ syslog(LOG_ERR, "%s: keyctl_clear: %s", -+ __func__, strerror(errno)); -+ return rc; -+ } -+ rc = keyctl_instantiate(key, data, datalen, 0); -+ break; -+ default: -+ ; -+ } -+ } -+ if (rc) { -+ syslog(LOG_ERR, "%s: keyctl_instantiate: %s", -+ __func__, strerror(errno)); -+ } -+ return rc; -+} -+ -+static int cifs_resolver(const key_serial_t key, const char *key_descr, -+ const char *key_buf, unsigned expire_time) - { - int c; - struct addrinfo *addr; - char ip[INET6_ADDRSTRLEN]; - void *p; -- const char *keyend = key_descr; -+ const char *keyend = key_buf; - /* skip next 4 ';' delimiters to get to description */ - for (c = 1; c <= 4; c++) { - keyend = index(keyend + 1, ';'); - if (!keyend) { - syslog(LOG_ERR, "invalid key description: %s", -- key_descr); -+ key_buf); - return 1; - } - } -@@ -787,15 +818,21 @@ static int cifs_resolver(const key_serial_t key, const char *key_descr) - return 1; - } - -- /* setup key */ -- c = keyctl_instantiate(key, ip, strlen(ip) + 1, 0); -- if (c == -1) { -- syslog(LOG_ERR, "%s: keyctl_instantiate: %s", __func__, -- strerror(errno)); -- freeaddrinfo(addr); -- return 1; -- } -+ /* needed for keyctl_set_timeout() */ -+ request_key("keyring", key_descr, NULL, KEY_SPEC_THREAD_KEYRING); - -+ c = setup_key(key, ip, strlen(ip) + 1); -+ if (c) { -+ freeaddrinfo(addr); -+ return 1; -+ } -+ c = keyctl_set_timeout(key, expire_time); -+ if (c) { -+ syslog(LOG_ERR, "%s: keyctl_set_timeout: %s", __func__, -+ strerror(errno)); -+ freeaddrinfo(addr); -+ return 1; -+ } - freeaddrinfo(addr); - return 0; - } -@@ -864,7 +901,7 @@ lowercase_string(char *c) - - static void usage(void) - { -- fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] key_serial\n", prog); -+ fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] [-e nsecs] key_serial\n", prog); - } - - static const struct option long_options[] = { -@@ -874,6 +911,7 @@ static const struct option long_options[] = { - {"trust-dns", 0, NULL, 't'}, - {"keytab", 1, NULL, 'K'}, - {"version", 0, NULL, 'v'}, -+ {"expire", 1, NULL, 'e'}, - {NULL, 0, NULL, 0} - }; - -@@ -897,13 +935,15 @@ int main(const int argc, char *const argv[]) - char *env_cachename = NULL; - krb5_ccache ccache = NULL; - struct passwd *pw; -+ unsigned expire_time = DNS_RESOLVER_DEFAULT_TIMEOUT; -+ const char *key_descr = NULL; - - hostbuf[0] = '\0'; - memset(&arg, 0, sizeof(arg)); - - openlog(prog, 0, LOG_DAEMON); - -- while ((c = getopt_long(argc, argv, "cEk:K:ltv", long_options, NULL)) != -1) { -+ while ((c = getopt_long(argc, argv, "cEk:K:ltve:", long_options, NULL)) != -1) { - switch (c) { - case 'c': - /* legacy option -- skip it */ -@@ -931,6 +971,9 @@ int main(const int argc, char *const argv[]) - rc = 0; - printf("version: %s\n", VERSION); - goto out; -+ case 'e': -+ expire_time = strtoul(optarg, NULL, 10); -+ break; - default: - syslog(LOG_ERR, "unknown option: %c", c); - goto out; -@@ -965,9 +1008,12 @@ int main(const int argc, char *const argv[]) - - syslog(LOG_DEBUG, "key description: %s", buf); - -- if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0) || -- (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0)) { -- rc = cifs_resolver(key, buf); -+ if (strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0) -+ key_descr = ".cifs.resolver"; -+ else if (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0) -+ key_descr = ".dns_resolver"; -+ if (key_descr) { -+ rc = cifs_resolver(key, key_descr, buf, expire_time); - goto out; - } - -@@ -1193,16 +1239,8 @@ retry_new_hostname: - memcpy(&(keydata->data) + keydata->sesskey_len, - secblob.data, secblob.length); - -- /* setup key */ -- rc = keyctl_instantiate(key, keydata, datalen, 0); -- if (rc == -1) { -- syslog(LOG_ERR, "keyctl_instantiate: %s", strerror(errno)); -- goto out; -- } -+ rc = setup_key(key, keydata, datalen); - -- /* BB: maybe we need use timeout for key: for example no more then -- * ticket lifietime? */ -- /* keyctl_set_timeout( key, 60); */ - out: - /* - * on error, negatively instantiate the key ourselves so that we can -diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in -index 1b8df3f31d94..08ce324fc5f6 100644 ---- a/cifs.upcall.rst.in -+++ b/cifs.upcall.rst.in -@@ -13,7 +13,7 @@ SYNOPSIS - - cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] - [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] -- [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} -+ [--keytab=/path/to/keytab|-K /path/to/keytab] [--expire|-e nsecs] {keyid} - - *********** - DESCRIPTION -@@ -85,6 +85,9 @@ OPTIONS - user. Set this option if you want cifs.upcall to use the older uid= - parameter instead of the creduid= parameter. - -+--expire|-e -+ Override default timeout value (600 seconds) for ``dns_resolver`` key. -+ - --version|-v - Print version number and exit. - --- -2.20.1 - - - - diff --git a/cifs-utils-6.8.tar.bz2 b/cifs-utils-6.8.tar.bz2 deleted file mode 100644 index b3af532..0000000 --- a/cifs-utils-6.8.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e7d1f6050c43f21f82cd77e288eb756755effd22f0c310fc2c525df9d41dff79 -size 384426 diff --git a/cifs-utils-6.8.tar.bz2.asc b/cifs-utils-6.8.tar.bz2.asc deleted file mode 100644 index 4ecc087..0000000 --- a/cifs-utils-6.8.tar.bz2.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2 - -iQIcBAABCAAGBQJaozrEAAoJEN9bqdMGQtWgo20P/R1mqzgHoAfD1PrIGDHAbHmf -P5cvhZgsd+NnaYEFGm8HnYrY7cPWNgVB+PnBaUgfTXJ3NHiMT8dmtFaic4AWOxxN -o+8RPut+UYaEvG2aZr+mDK0Ig5zXU8GIxTxrCwrrzg2ZGBVW2x9J3wrOyomuPwIq -4UPlAX94fcOhKtcwtEqqG5BOXB9atNSw8fSmaxktgr0qAOc5wECZpmLimZjyX2qx -ASVFkTRmW4jl9YAOqAJ/CQti7MTEBFop5XuBgF8mbQgFTc0oMjcpUVUDC5a9tQEi -Tv8+GL0y0a8S6I7AH364pJFiZrHDbX3y8F3QTN/u4c1Fy8mkbcp3VLAwvrgFhzx4 -e+X4Wezgu24zxIa/rmUySVpy3pjpshxuPR549lQHtZBLTlgLSO/MIB/E9V/0uC4g -vcPMS5zve603s3y/pEHkTHjv+WYMLVbI2Jc01rhDQGLB2wox5MyheFgfvSe12Gwa -LLYDT8O4B2mgXcXocsn2YOq369t8ZGIWhi2xpt7XQVL5wrmRAzM03/MBU5oJr0pl -NOG5RBZ8TJeBwJe7PAYB76B65e84uBn12hZCyeaYiQtHHiSYH9q1th12fXuySNxF -1C2XAcO327cTQtG5gI9m5DHPut8xjjBiIsdZJYIL8XhOrISy7AqpWu7C6rbt6VvZ -10JbR5QQcpNXPPW8209H -=Cn5o ------END PGP SIGNATURE----- diff --git a/cifs-utils-6.9.tar.bz2 b/cifs-utils-6.9.tar.bz2 new file mode 100644 index 0000000..2837b18 --- /dev/null +++ b/cifs-utils-6.9.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:18d8f1bf92c13c4d611502dbd6759e3a766ddc8467ec8a2eda3f589e40b9ac9c +size 400430 diff --git a/cifs-utils-6.9.tar.bz2.asc b/cifs-utils-6.9.tar.bz2.asc new file mode 100644 index 0000000..44b2d92 --- /dev/null +++ b/cifs-utils-6.9.tar.bz2.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2 + +iQIcBAABCAAGBQJcp5M4AAoJEN9bqdMGQtWgCs8P/i5KHJSpV07TCiBXIq6mdQL5 +WiUVGMuYrRpyRxg9+HbM+3I6G9OZX9OJvn9/+0Ph30fWgbspa2M+4P2K1DDS+vAF +fOkdKMHKm+/gosCI5Ys45bgtKfjmlXoT0FPHQaIZv9MrX8dJwKoVxcGpb85J1H/H +rnxFPJ+Pm6UEXnJH+ejCdACTPSFtiE4UJ/vZhlIXX1BY5qKZJes3TEjeEJxKIIWi +hRgO1yDyHRt5wDmvG0gQZAazM5pgCXKro1osYmCY545TYGOWirlciRCdxZtwlvhR +6f92XuLhEMrcIIHXLVD/F3hffHaoXtggzOWkekh6yHT6zA0CNn8x+mqn8dVimE1H +YWbKX2b3ezJqcXAL4eY1r4jlAPoinNpOaJ7NIza2ZTAhH8mf5WITA9vnwB4VAp0A +vfAVliN0TgzRk7lDuP/pe41jrTEgQ6QqgyEq5g6WdEMyoIAu3AhBGTUXxlTI4qrq +wWeRf7tdntEdMcbQlV7oLsB7yK3A7t1UwG9uacG7l6EUpezT0ljN9po8Sydnvv7Q +OXhIUJgXHWlKdDavHAurnCAVD2fw3t++J0lzYXjdQV0D3xs743Y0cO1hDRkTZ+7i +gyg9/xkC7yHILSQKDfICJClrQ1Kot34FXnwnrRbneKnvlrzQz38h2jeTTlha1jsL +xGzoIqfXZnPcwgTCAL3M +=1TCn +-----END PGP SIGNATURE----- diff --git a/cifs-utils.changes b/cifs-utils.changes index 3f90063..d7e7d0a 100644 --- a/cifs-utils.changes +++ b/cifs-utils.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Wed Apr 10 11:07:07 UTC 2019 - Aurelien Aptel + +- Update to cifs-utils 6.9; (bsc#1132087). + * adds fixes for Azure + * new smbinfo utility + * remove cifs-utils-6.8.tar.bz2 + * remove cifs-utils-6.8.tar.bz2.asc + * add cifs-utils-6.9.tar.bz2 + * add cifs-utils-6.9.tar.bz2.asc +- Remove backports that are already in 6.9; (fate#325270); (bsc#1130528); + * remove 0001-docs-cleanup-rst-formating.patch + * remove 0002-mount.cifs.rst-document-new-no-handlecache-mount-opt.patch + * remove 0003-manpage-update-mount.cifs-manpage-with-info-about-rd.patch + * remove 0004-checkopts-add-python-script-to-cross-check-mount-opt.patch + * remove 0005-mount.cifs.rst-document-missing-options-correct-wron.patch + * remove 0006-cifs-utils-support-rst2man-3.patch + * remove 0007-checkopts-report-duplicated-options-in-man-page.patch + * remove 0008-mount.cifs.rst-more-cleanups.patch + * remove 0009-mount.cifs.rst-document-vers-3-mount-option.patch + * remove 0010-mount.cifs.rst-document-vers-3.02-mount-option.patch + * remove allow-dns-resolver-key-to-expire.patch + * remove suse-document-new-vers-default-SMB2.1.patch + ------------------------------------------------------------------- Tue Mar 12 13:39:46 UTC 2019 - palcantara@suse.de diff --git a/cifs-utils.spec b/cifs-utils.spec index 83c9dc0..f131255 100644 --- a/cifs-utils.spec +++ b/cifs-utils.spec @@ -12,12 +12,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: cifs-utils -Version: 6.8 +Version: 6.9 Release: 0 Summary: Utilities for doing and managing mounts of the Linux CIFS filesystem License: GPL-3.0-or-later @@ -32,19 +32,6 @@ Source6: cifs-utils.keyring Source100: README.cifstab.migration Source1: cifs.init -Patch0: 0001-docs-cleanup-rst-formating.patch -Patch1: 0002-mount.cifs.rst-document-new-no-handlecache-mount-opt.patch -Patch2: 0003-manpage-update-mount.cifs-manpage-with-info-about-rd.patch -Patch3: 0004-checkopts-add-python-script-to-cross-check-mount-opt.patch -Patch4: 0005-mount.cifs.rst-document-missing-options-correct-wron.patch -Patch5: 0006-cifs-utils-support-rst2man-3.patch -Patch6: 0007-checkopts-report-duplicated-options-in-man-page.patch -Patch7: 0008-mount.cifs.rst-more-cleanups.patch -Patch8: 0009-mount.cifs.rst-document-vers-3-mount-option.patch -Patch9: 0010-mount.cifs.rst-document-vers-3.02-mount-option.patch -Patch10: suse-document-new-vers-default-SMB2.1.patch -Patch11: allow-dns-resolver-key-to-expire.patch - # cifs-utils 6.8 switched to python for man page generation # we need to require either py2 or py3 package # some products do not have a py2/py3 versions @@ -101,7 +88,7 @@ the Linux CIFS filesystem. %package devel Summary: Files needed for building plugins for cifs-utils -Group: Development/Libraries +Group: Development/Libraries/C and C++ %description devel The SMB/CIFS protocol is a standard file sharing protocol widely deployed @@ -125,18 +112,6 @@ provide these credentials to the kernel automatically at login. %prep %setup -q cp -a ${RPM_SOURCE_DIR}/README.cifstab.migration . -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 %build export CFLAGS="%{optflags} -D_GNU_SOURCE -fpie" @@ -187,7 +162,9 @@ touch %{buildroot}/%{_sysconfdir}/sysconfig/network/if-{down,up}.d/${script} \ %{_mandir}/man8/cifs.idmap.8%{ext_man} %{_bindir}/cifscreds %{_sbindir}/cifs.upcall +%{_bindir}/smbinfo %{_mandir}/man1/cifscreds.1%{ext_man} +%{_mandir}/man1/smbinfo.1%{ext_man} %{_mandir}/man8/cifs.upcall.8%{ext_man} %{_mandir}/man8/mount.cifs.8%{ext_man} %dir %{_sysconfdir}/request-key.d diff --git a/suse-document-new-vers-default-SMB2.1.patch b/suse-document-new-vers-default-SMB2.1.patch deleted file mode 100644 index 51ed1b0..0000000 --- a/suse-document-new-vers-default-SMB2.1.patch +++ /dev/null @@ -1,37 +0,0 @@ -Index: cifs-utils-6.8/mount.cifs.c -=================================================================== ---- cifs-utils-6.8.orig/mount.cifs.c -+++ cifs-utils-6.8/mount.cifs.c -@@ -2099,6 +2099,10 @@ mount_retry: - switch (errno) { - case ECONNREFUSED: - case EHOSTUNREACH: -+ if (currentaddress) { -+ fprintf(stderr, "mount error(%d): could not connect to %s", -+ errno, currentaddress); -+ } - currentaddress = nextaddress; - if (currentaddress) { - nextaddress = strchr(currentaddress, ','); -@@ -2110,6 +2114,12 @@ mount_retry: - fprintf(stderr, - "mount error: %s filesystem not supported by the system\n", cifs_fstype); - break; -+ case EHOSTDOWN: -+ fprintf(stderr, -+ "mount error: Server abruptly closed the connection.\n" -+ "This can happen if the server does not support the SMB version you are trying to use.\n" -+ "The default SMB version recently changed from SMB1 to SMB2.1 and above. Try mounting with vers=1.0.\n"); -+ break; - case ENXIO: - if (!already_uppercased && - uppercase_string(parsed_info->host) && -@@ -2126,7 +2136,7 @@ mount_retry: - strerror(errno)); - fprintf(stderr, - "Refer to the %s(8) manual page (e.g. man " -- "%s)\n", thisprogram, thisprogram); -+ "%s) and kernel log messages (dmesg)\n", thisprogram, thisprogram); - rc = EX_FAIL; - goto mount_exit; - }