David Mulder
47eae704ae
- Update to cifs-utils 6.8. + document more mount options + man pages now generated from RST files + add python-docutils build dependency + update keyring to check tarball signature - Add typo corrections, better doc and configure fixes from upstream + add 0001-docs-cleanup-rst-formating.patch + add 0002-mount.cifs.rst-document-new-no-handlecache-mount-opt.patch + add 0003-manpage-update-mount.cifs-manpage-with-info-about-rd.patch + add 0004-checkopts-add-python-script-to-cross-check-mount-opt.patch + add 0005-mount.cifs.rst-document-missing-options-correct-wron.patch + add 0006-cifs-utils-support-rst2man-3.patch + add 0007-checkopts-report-duplicated-options-in-man-page.patch + add 0008-mount.cifs.rst-more-cleanups.patch + add 0009-mount.cifs.rst-document-vers-3-mount-option.patch + add 0010-mount.cifs.rst-document-vers-3.02-mount-option.patch - Cleanup spec file * assume SUSE vendor and SLE >= 11 OBS-URL: https://build.opensuse.org/request/show/634977 OBS-URL: https://build.opensuse.org/package/show/network:samba:STABLE/cifs-utils?expand=0&rev=153
1121 lines
32 KiB
Diff
1121 lines
32 KiB
Diff
From 81dcfb24f54a5757f7c9fe08285bf527b8333506 Mon Sep 17 00:00:00 2001
|
|
From: Aurelien Aptel <aaptel@suse.com>
|
|
Date: Tue, 15 May 2018 10:12:32 +0200
|
|
Subject: [PATCH 01/10] docs: cleanup rst formating
|
|
|
|
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
|
|
Reviewed-by: Steve French <smfrench@gmail.com>
|
|
Reviewed-by: Pavel Shilovsky <piastryyy@gmail.com>
|
|
---
|
|
cifs.idmap.rst.in | 71 ++++++-------------
|
|
cifs.upcall.rst.in | 200 ++++++++++++++++++++---------------------------------
|
|
cifscreds.rst | 92 ++++++++----------------
|
|
getcifsacl.rst.in | 40 +++--------
|
|
idmapwb.rst.in | 19 +++--
|
|
mount.cifs.rst | 9 ++-
|
|
pam_cifscreds.rst | 61 +++++-----------
|
|
setcifsacl.rst.in | 143 ++++++++++----------------------------
|
|
8 files changed, 201 insertions(+), 434 deletions(-)
|
|
|
|
diff --git a/cifs.idmap.rst.in b/cifs.idmap.rst.in
|
|
index 91b585e..60d7f0a 100644
|
|
--- a/cifs.idmap.rst.in
|
|
+++ b/cifs.idmap.rst.in
|
|
@@ -11,124 +11,93 @@ Userspace helper for mapping ids for Common Internet File System (CIFS)
|
|
SYNOPSIS
|
|
********
|
|
|
|
-
|
|
-cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid}
|
|
-
|
|
+ cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid}
|
|
|
|
***********
|
|
DESCRIPTION
|
|
***********
|
|
|
|
-
|
|
This tool is part of the cifs-utils suite.
|
|
|
|
-\ **cifs.idmap**\ is a userspace helper program for the linux CIFS client
|
|
+``cifs.idmap`` is a userspace helper program for the linux CIFS client
|
|
filesystem. There are a number of activities that the kernel cannot
|
|
easily do itself. This program is a callout program that does these
|
|
things for the kernel and then returns the result.
|
|
|
|
-\ **cifs.idmap**\ is generally intended to be run when the kernel calls
|
|
+``cifs.idmap`` is generally intended to be run when the kernel calls
|
|
request-key(8) for a particular key type. While it can be run
|
|
directly from the command-line, it is not generally intended to be run
|
|
that way.
|
|
|
|
-This program is only called if a share is mounted with the \ **cifsacl**\
|
|
+This program is only called if a share is mounted with the ``cifsacl``
|
|
mount option. The kernel will only upcall to do this conversion if
|
|
that mount option is specified.
|
|
|
|
-\ **cifs.idmap**\ relies on a plugin to handle the ID mapping. If it can't
|
|
+``cifs.idmap`` relies on a plugin to handle the ID mapping. If it can't
|
|
find the plugin then it will not work properly. The plugin (or a
|
|
symlink to it) must be at @pluginpath@.
|
|
|
|
-In the case where \ **cifs.idmap**\ or the plugin are unavailable, file
|
|
+In the case where ``cifs.idmap`` or the plugin are unavailable, file
|
|
objects in a mounted share are assigned uid and gid of the credentials
|
|
of the process that mounted the share. It is strongly recomemended to
|
|
use mount options of uid and gid to specify a default uid and gid to
|
|
map owner SIDs and group SIDs in this situation.
|
|
|
|
-
|
|
*******
|
|
OPTIONS
|
|
*******
|
|
|
|
+--help|-h
|
|
+ Print the usage message and exit.
|
|
|
|
+--timeout|-t
|
|
+ Set the expiration timer, in seconds on the key. The default is 600
|
|
+ seconds (10 minutes). Setting this to 0 will cause the key to never
|
|
+ expire.
|
|
|
|
-\ **--help|-h**\
|
|
-
|
|
- Print the usage message and exit.
|
|
-
|
|
-
|
|
-
|
|
-\ **--timeout|-t**\
|
|
-
|
|
- Set the expiration timer, in seconds on the key. The default is 600
|
|
- seconds (10 minutes). Setting this to 0 will cause the key to never
|
|
- expire.
|
|
-
|
|
-
|
|
-
|
|
-\ **--version|-v**\
|
|
-
|
|
- Print version number and exit.
|
|
-
|
|
-
|
|
-
|
|
+--version|-v
|
|
+ Print version number and exit.
|
|
|
|
************************
|
|
CONFIGURATION FOR KEYCTL
|
|
************************
|
|
|
|
-
|
|
-\ **cifs.idmap**\ is designed to be called from the kernel via the
|
|
+``cifs.idmap`` is designed to be called from the kernel via the
|
|
request-key callout program. This requires that request-key be told
|
|
-where and how to call this program. Currently \ **cifs.idmap**\ handles a
|
|
-key type of:
|
|
+where and how to call this program. Currently ``cifs.idmap`` handles a
|
|
+key type of::
|
|
|
|
+ cifs.idmap
|
|
|
|
-\ **cifs.idmap**\
|
|
-
|
|
- This keytype is for mapping a SID to either an uid or a gid
|
|
-
|
|
-
|
|
+This keytype is for mapping a SID to either an uid or a gid.
|
|
|
|
To make this program useful for CIFS, you will need to set up entry for it in
|
|
-request-key.conf(5). Here is an example of an entry for this key type:
|
|
-
|
|
-
|
|
-.. code-block:: perl
|
|
+request-key.conf(5). Here is an example of an entry for this key type::
|
|
|
|
#OPERATION TYPE D C PROGRAM ARG1 ARG2...
|
|
#========= ============= = = ================================
|
|
create cifs.idmap * * @sbindir@/cifs.idmap %k
|
|
|
|
-
|
|
See request-key.conf(5) for more info on each field.
|
|
|
|
-
|
|
*****
|
|
NOTES
|
|
*****
|
|
|
|
-
|
|
Support for upcalls to cifs.idmap was initially introduced in the 3.0
|
|
kernel.
|
|
|
|
-
|
|
********
|
|
SEE ALSO
|
|
********
|
|
|
|
-
|
|
request-key.conf(5), mount.cifs(8)
|
|
|
|
-
|
|
******
|
|
AUTHOR
|
|
******
|
|
|
|
-
|
|
Shirish Pargaonkar wrote the cifs.idmap program.
|
|
|
|
The Linux CIFS Mailing list is the preferred place to ask questions
|
|
regarding these programs.
|
|
-
|
|
diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in
|
|
index 8f4ee62..1b8df3f 100644
|
|
--- a/cifs.upcall.rst.in
|
|
+++ b/cifs.upcall.rst.in
|
|
@@ -7,178 +7,131 @@ Userspace upcall helper for Common Internet File System (CIFS)
|
|
--------------------------------------------------------------
|
|
:Manual section: 8
|
|
|
|
-
|
|
********
|
|
SYNOPSIS
|
|
********
|
|
|
|
-.. code-block:: perl
|
|
-
|
|
- cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
|
|
- [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
|
|
- [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid}
|
|
-
|
|
-
|
|
+ cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
|
|
+ [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
|
|
+ [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid}
|
|
|
|
***********
|
|
DESCRIPTION
|
|
***********
|
|
|
|
-
|
|
This tool is part of the cifs-utils suite.
|
|
|
|
-\ **cifs.upcall**\ is a userspace helper program for the linux CIFS client
|
|
+``cifs.upcall`` is a userspace helper program for the linux CIFS client
|
|
filesystem. There are a number of activities that the kernel cannot
|
|
easily do itself. This program is a callout program that does these
|
|
things for the kernel and then returns the result.
|
|
|
|
-\ **cifs.upcall**\ is generally intended to be run when the kernel calls
|
|
+``cifs.upcall`` is generally intended to be run when the kernel calls
|
|
request-key(8) for a particular key type. While it can be run
|
|
directly from the command-line, it's not generally intended to be run
|
|
that way.
|
|
|
|
-
|
|
*******
|
|
OPTIONS
|
|
*******
|
|
|
|
-
|
|
-
|
|
-\ **-c**\
|
|
-
|
|
- This option is deprecated and is currently ignored.
|
|
-
|
|
-
|
|
-
|
|
-\ **--no-env-probe|-E**\
|
|
-
|
|
- Normally, \ **cifs.upcall**\ will probe the environment variable space of
|
|
- the process that initiated the upcall in order to fetch the value of
|
|
- \ ``$KRB5CCNAME``\ . This can assist the program with finding credential
|
|
- caches in non-default locations. If this option is set, then the
|
|
- program won't do this and will rely on finding credcaches in the
|
|
- default locations specified in \ *krb5.conf*\ . Note that this is never
|
|
- performed when the uid is 0. The default credcache location is always
|
|
- used when the uid is 0, regardless of the environment variable setting
|
|
- in the process.
|
|
-
|
|
-
|
|
-
|
|
-\ **--krb5conf|-k=/path/to/krb5.conf**\
|
|
-
|
|
- This option allows administrators to set an alternate location for the
|
|
- \ *krb5.conf*\ file that \ **cifs.upcall**\ will use.
|
|
-
|
|
-
|
|
-
|
|
-\ **--keytab=|-K=/path/to/keytab**\
|
|
-
|
|
- This option allows administrators to specify a keytab file to be
|
|
- used. When a user has no credential cache already established,
|
|
- \ **cifs.upcall**\ will attempt to use this keytab to acquire them. The
|
|
- default is the system-wide keytab \ */etc/krb5.keytab*\ .
|
|
-
|
|
-
|
|
-
|
|
-\ **--trust-dns|-t**\
|
|
-
|
|
- With krb5 upcalls, the name used as the host portion of the service
|
|
- principal defaults to the hostname portion of the UNC. This option
|
|
- allows the upcall program to reverse resolve the network address of
|
|
- the server in order to get the hostname.
|
|
-
|
|
- This is less secure than not trusting DNS. When using this option,
|
|
- it's possible that an attacker could get control of DNS and trick the
|
|
- client into mounting a different server altogether. It's preferable to
|
|
- instead add server principals to the KDC for every possible hostname,
|
|
- but this option exists for cases where that isn't possible. The
|
|
- default is to not trust reverse hostname lookups in this fashion.
|
|
-
|
|
-
|
|
-
|
|
-\ **--legacy-uid|-l**\
|
|
-
|
|
- Traditionally, the kernel has sent only a single uid= parameter to the
|
|
- upcall for the SPNEGO upcall that's used to determine what user's
|
|
- credential cache to use. This parameter is affected by the \ **uid=**\
|
|
- mount option, which also governs the ownership of files on the mount.
|
|
-
|
|
- Newer kernels send a creduid= option as well, which contains what uid
|
|
- it thinks actually owns the credentials that it's looking for. At
|
|
- mount time, this is generally set to the real uid of the user doing
|
|
- the mount. For multisession mounts, it's set to the fsuid of the mount
|
|
- user. Set this option if you want cifs.upcall to use the older \ **uid=**\
|
|
- parameter instead of the creduid= parameter.
|
|
-
|
|
-
|
|
-
|
|
-\ **--version|-v**\
|
|
-
|
|
- Print version number and exit.
|
|
-
|
|
-
|
|
-
|
|
+-c
|
|
+ This option is deprecated and is currently ignored.
|
|
+
|
|
+--no-env-probe|-E
|
|
+ Normally, ``cifs.upcall`` will probe the environment variable space of
|
|
+ the process that initiated the upcall in order to fetch the value of
|
|
+ ``$KRB5CCNAME``. This can assist the program with finding credential
|
|
+ caches in non-default locations. If this option is set, then the
|
|
+ program won't do this and will rely on finding credcaches in the
|
|
+ default locations specified in *krb5.conf*. Note that this is never
|
|
+ performed when the uid is 0. The default credcache location is always
|
|
+ used when the uid is 0, regardless of the environment variable setting
|
|
+ in the process.
|
|
+
|
|
+--krb5conf|-k=/path/to/krb5.conf
|
|
+ This option allows administrators to set an alternate location for the
|
|
+ *krb5.conf* file that ``cifs.upcall`` will use.
|
|
+
|
|
+--keytab=|-K=/path/to/keytab
|
|
+ This option allows administrators to specify a keytab file to be
|
|
+ used. When a user has no credential cache already established,
|
|
+ ``cifs.upcall`` will attempt to use this keytab to acquire them. The
|
|
+ default is the system-wide keytab */etc/krb5.keytab*.
|
|
+
|
|
+--trust-dns|-t
|
|
+ With krb5 upcalls, the name used as the host portion of the service
|
|
+ principal defaults to the hostname portion of the UNC. This option
|
|
+ allows the upcall program to reverse resolve the network address of
|
|
+ the server in order to get the hostname.
|
|
+
|
|
+ This is less secure than not trusting DNS. When using this option,
|
|
+ it's possible that an attacker could get control of DNS and trick the
|
|
+ client into mounting a different server altogether. It's preferable to
|
|
+ instead add server principals to the KDC for every possible hostname,
|
|
+ but this option exists for cases where that isn't possible. The
|
|
+ default is to not trust reverse hostname lookups in this fashion.
|
|
+
|
|
+--legacy-uid|-l
|
|
+ Traditionally, the kernel has sent only a single uid= parameter to the
|
|
+ upcall for the SPNEGO upcall that's used to determine what user's
|
|
+ credential cache to use. This parameter is affected by the uid=
|
|
+ mount option, which also governs the ownership of files on the mount.
|
|
+
|
|
+ Newer kernels send a creduid= option as well, which contains what uid
|
|
+ it thinks actually owns the credentials that it's looking for. At
|
|
+ mount time, this is generally set to the real uid of the user doing
|
|
+ the mount. For multisession mounts, it's set to the fsuid of the mount
|
|
+ user. Set this option if you want cifs.upcall to use the older uid=
|
|
+ parameter instead of the creduid= parameter.
|
|
+
|
|
+--version|-v
|
|
+ Print version number and exit.
|
|
|
|
************************
|
|
CONFIGURATION FOR KEYCTL
|
|
************************
|
|
|
|
-
|
|
-\ **cifs.upcall**\ is designed to be called from the kernel via the
|
|
+``cifs.upcall`` is designed to be called from the kernel via the
|
|
request-key callout program. This requires that request-key be told
|
|
-where and how to call this program. The current \ **cifs.upcall**\
|
|
+where and how to call this program. The current ``cifs.upcall``
|
|
program handles two different key types:
|
|
|
|
+cifs.spnego
|
|
+ This keytype is for retrieving kerberos session keys
|
|
+
|
|
+dns_resolver
|
|
+ This key type is for resolving hostnames into IP addresses. Support
|
|
+ for this key type may eventually be deprecated (see below).
|
|
+
|
|
+ To make this program useful for CIFS, you'll need to set up entries
|
|
+ for them in request-key.conf(5). Here's an example of an entry for
|
|
+ each key type::
|
|
|
|
-\ **cifs.spnego**\
|
|
-
|
|
- This keytype is for retrieving kerberos session keys
|
|
-
|
|
-
|
|
-
|
|
-\ **dns_resolver**\
|
|
-
|
|
- This key type is for resolving hostnames into IP addresses. Support
|
|
- for this key type may eventually be deprecated (see below).
|
|
-
|
|
- To make this program useful for CIFS, you'll need to set up entries
|
|
- for them in request-key.conf(5). Here's an example of an entry for
|
|
- each key type:
|
|
-
|
|
-
|
|
- .. code-block:: perl
|
|
-
|
|
#OPERATION TYPE D C PROGRAM ARG1 ARG2...
|
|
#========= ============= = = ================================
|
|
create cifs.spnego * * @sbindir@/cifs.upcall %k
|
|
create dns_resolver * * @sbindir@/cifs.upcall %k
|
|
-
|
|
-
|
|
- See request-key.conf(5) for more info on each field.
|
|
-
|
|
- The keyutils package has also started including a dns_resolver
|
|
- handling program as well that is preferred over the one in
|
|
- \ **cifs.upcall.**\ If you are using a keyutils version equal to or
|
|
- greater than 1.5, you should use \ ``key.dns_resolver``\ to handle the
|
|
- \ ``dns_resolver``\ keytype instead of \ **cifs.upcall**\ . See
|
|
- key.dns_resolver(8) for more info.
|
|
-
|
|
|
|
+ See request-key.conf(5) for more info on each field.
|
|
|
|
+ The keyutils package has also started including a dns_resolver
|
|
+ handling program as well that is preferred over the one in
|
|
+ ``cifs.upcall``. If you are using a keyutils version equal to or
|
|
+ greater than 1.5, you should use ``key.dns_resolver`` to handle the
|
|
+ ``dns_resolver`` keytype instead of ``cifs.upcall``. See
|
|
+ key.dns_resolver(8) for more info.
|
|
|
|
********
|
|
SEE ALSO
|
|
********
|
|
|
|
-
|
|
request-key.conf(5), mount.cifs(8), key.dns_resolver(8)
|
|
|
|
-
|
|
******
|
|
AUTHOR
|
|
******
|
|
|
|
-
|
|
Igor Mammedov wrote the cifs.upcall program.
|
|
|
|
Jeff Layton authored this manpage.
|
|
@@ -187,4 +140,3 @@ The maintainer of the Linux CIFS VFS is Steve French.
|
|
|
|
The Linux CIFS Mailing list is the preferred place to ask questions
|
|
regarding these programs.
|
|
-
|
|
diff --git a/cifscreds.rst b/cifscreds.rst
|
|
index 5c2a195..a6676cb 100644
|
|
--- a/cifscreds.rst
|
|
+++ b/cifscreds.rst
|
|
@@ -5,125 +5,91 @@ cifscreds
|
|
-----------------------------------------
|
|
manage NTLM credentials in kernel keyring
|
|
-----------------------------------------
|
|
-
|
|
:Manual section: 1
|
|
|
|
********
|
|
SYNOPSIS
|
|
********
|
|
|
|
-
|
|
-cifscreds add|clear|clearall|update [-u username] [-d] host|domain
|
|
-
|
|
+ cifscreds add|clear|clearall|update [-u username] [-d] host|domain
|
|
|
|
***********
|
|
DESCRIPTION
|
|
***********
|
|
|
|
-
|
|
-The \ **cifscreds**\ program is a tool for managing credentials (username
|
|
+The ``cifscreds`` program is a tool for managing credentials (username
|
|
and password) for the purpose of establishing sessions in multiuser
|
|
mounts.
|
|
|
|
When a cifs filesystem is mounted with the "multiuser" option, and does
|
|
not use krb5 authentication, it needs to be able to get the credentials
|
|
-for each user from somewhere. The \ **cifscreds**\ program is the tool used
|
|
+for each user from somewhere. The ``cifscreds`` program is the tool used
|
|
to provide these credentials to the kernel.
|
|
|
|
The first non-option argument to cifscreds is a command (see the
|
|
-\ **COMMANDS**\ section below). The second non-option argument is a hostname
|
|
+`COMMANDS`_ section below). The second non-option argument is a hostname
|
|
or address, or an NT domain name.
|
|
|
|
-
|
|
********
|
|
COMMANDS
|
|
********
|
|
|
|
+add
|
|
+ Add credentials to the kernel to be used for connecting to the given
|
|
+ server, or servers in the given domain.
|
|
|
|
+clear
|
|
+ Clear credentials for a particular host or domain from the kernel.
|
|
|
|
-\ **add**\
|
|
-
|
|
- Add credentials to the kernel to be used for connecting to the given server, or servers in the given domain.
|
|
-
|
|
-
|
|
-
|
|
-\ **clear**\
|
|
-
|
|
- Clear credentials for a particular host or domain from the kernel.
|
|
-
|
|
-
|
|
-
|
|
-\ **clearall**\
|
|
-
|
|
- Clear all cifs credentials from the kernel.
|
|
-
|
|
-
|
|
-
|
|
-\ **update**\
|
|
-
|
|
- Update stored credentials in the kernel with a new username and
|
|
- password.
|
|
-
|
|
-
|
|
+clearall
|
|
+ Clear all cifs credentials from the kernel.
|
|
|
|
+update
|
|
+ Update stored credentials in the kernel with a new username and
|
|
+ password.
|
|
|
|
*******
|
|
OPTIONS
|
|
*******
|
|
|
|
+-d, --domain
|
|
+ The provided host/domain argument is a NT domainname.
|
|
|
|
+ Ordinarily the second argument provided to cifscreds is treated as a
|
|
+ hostname or IP address. This option causes the cifscreds program to
|
|
+ treat that argument as an NT domainname instead.
|
|
|
|
-\ **-d**\ , \ **--domain**\
|
|
-
|
|
- The provided host/domain argument is a NT domainname.
|
|
-
|
|
- Ordinarily the second argument provided to cifscreds is treated as a
|
|
- hostname or IP address. This option causes the cifscreds program to
|
|
- treat that argument as an NT domainname instead.
|
|
-
|
|
- If there are not host specific credentials for the mounted server, then
|
|
- the kernel will next look for a set of domain credentials equivalent to
|
|
- the domain= option provided at mount time.
|
|
-
|
|
-
|
|
-
|
|
-\ **-u**\ , \ **--username**\
|
|
-
|
|
- Ordinarily, the username is derived from the unix username of the user
|
|
- adding the credentials. This option allows the user to substitute a
|
|
- different username.
|
|
-
|
|
-
|
|
+ If there are not host specific credentials for the mounted server, then
|
|
+ the kernel will next look for a set of domain credentials equivalent to
|
|
+ the domain= option provided at mount time.
|
|
|
|
+-u, --username
|
|
+ Ordinarily, the username is derived from the unix username of the user
|
|
+ adding the credentials. This option allows the user to substitute a
|
|
+ different username.
|
|
|
|
*****
|
|
NOTES
|
|
*****
|
|
|
|
-
|
|
The cifscreds utility requires a kernel built with support for the
|
|
-\ **login**\ key type. That key type was added in v3.3 in mainline Linux
|
|
+``login`` key type. That key type was added in v3.3 in mainline Linux
|
|
kernels.
|
|
|
|
-Since \ **cifscreds**\ adds keys to the session keyring, it is highly
|
|
-recommended that one use \ **pam_keyinit**\ to ensure that a session keyring
|
|
+Since ``cifscreds`` adds keys to the session keyring, it is highly
|
|
+recommended that one use ``pam_keyinit`` to ensure that a session keyring
|
|
is established at login time.
|
|
|
|
-
|
|
********
|
|
SEE ALSO
|
|
********
|
|
|
|
-
|
|
pam_keyinit(8)
|
|
|
|
-
|
|
*******
|
|
AUTHORS
|
|
*******
|
|
|
|
-
|
|
The cifscreds program was originally developed by Igor Druzhinin
|
|
<jaxbrigs@gmail.com>. This manpage and a redesign of the code was done
|
|
by Jeff Layton <jlayton@samba.org>.
|
|
-
|
|
diff --git a/getcifsacl.rst.in b/getcifsacl.rst.in
|
|
index 42af258..21a10cd 100644
|
|
--- a/getcifsacl.rst.in
|
|
+++ b/getcifsacl.rst.in
|
|
@@ -7,80 +7,60 @@ Userspace helper to display an ACL in a security descriptor for Common Internet
|
|
--------------------------------------------------------------------------------------------------
|
|
:Manual section: 1
|
|
|
|
-
|
|
********
|
|
SYNOPSIS
|
|
********
|
|
|
|
-
|
|
-getcifsacl [-v|-r] {file system object}
|
|
-
|
|
+ getcifsacl [-v|-r] {file system object}
|
|
|
|
***********
|
|
DESCRIPTION
|
|
***********
|
|
|
|
-
|
|
This tool is part of the cifs-utils suite.
|
|
|
|
-getcifsacl is a userspace helper program for the Linux CIFS client
|
|
+``getcifsacl`` is a userspace helper program for the Linux CIFS client
|
|
file system. It is intended to display a security descriptor including
|
|
ACL for a file system object.
|
|
|
|
This program uses a plugin to handle the mapping of SIDs to user and
|
|
-group names. \ *@pluginpath@*\ should be a symlink that points to the
|
|
+group names. *@pluginpath@* should be a symlink that points to the
|
|
correct plugin to use.
|
|
|
|
Fields of an ACE such as SID, type, flags, and mask are displayed
|
|
-separated by /. Numeric values of type, flags, and mask are displayed
|
|
+separated by /. Numeric values of type, flags, and mask are displayed
|
|
in hexadecimal format.
|
|
|
|
-
|
|
*******
|
|
OPTIONS
|
|
*******
|
|
|
|
+-v
|
|
+ Print version number and exit.
|
|
|
|
-
|
|
-\ **-v**\
|
|
-
|
|
- Print version number and exit.
|
|
-
|
|
-
|
|
-
|
|
-\ **-r**\
|
|
-
|
|
- Display a security descriptor in raw mode. Values such as type and
|
|
- flags are displayed in hexadecimal format, a SID is not mapped to a
|
|
- name.
|
|
-
|
|
-
|
|
-
|
|
+-r
|
|
+ Display a security descriptor in raw mode. Values such as type and
|
|
+ flags are displayed in hexadecimal format, a SID is not mapped to a
|
|
+ name.
|
|
|
|
*****
|
|
NOTES
|
|
*****
|
|
|
|
-
|
|
Kernel support for getcifsacl/setcifsacl utilities was initially
|
|
introduced in the 2.6.37 kernel.
|
|
|
|
-
|
|
********
|
|
SEE ALSO
|
|
********
|
|
|
|
-
|
|
mount.cifs(8), setcifsacl(1)
|
|
|
|
-
|
|
******
|
|
AUTHOR
|
|
******
|
|
|
|
-
|
|
Shirish Pargaonkar wrote the getcifsacl program.
|
|
|
|
The Linux CIFS Mailing list is the preferred place to ask questions
|
|
regarding these programs.
|
|
-
|
|
diff --git a/idmapwb.rst.in b/idmapwb.rst.in
|
|
index 4d7fd62..c03e4ca 100644
|
|
--- a/idmapwb.rst.in
|
|
+++ b/idmapwb.rst.in
|
|
@@ -7,31 +7,28 @@ winbind ID mapping plugin for cifs-utils
|
|
----------------------------------------
|
|
:Manual section: 8
|
|
|
|
-
|
|
***********
|
|
DESCRIPTION
|
|
***********
|
|
|
|
-
|
|
This plugin allows the utilities in cifs-utils to work in conjuction with
|
|
the winbind facility of Samba suite. It handles several functions including
|
|
mapping UID and GID to SIDs and vice versa.
|
|
|
|
Utilities are usually configured to use the correct plugin by creating a
|
|
-symlink at @pluginpath@ that points to the correct plugin that you wish
|
|
+symlink at *@pluginpath@* that points to the correct plugin that you wish
|
|
to use.
|
|
|
|
-This plugin requires that \ **winbindd(8)**\ be properly configured and running.
|
|
+This plugin requires that winbindd(8) be properly configured and running.
|
|
|
|
-
|
|
-*******************************************************************************
|
|
+********
|
|
SEE ALSO
|
|
-*******************************************************************************
|
|
-getcifsacl(1), setcifsacl(1), cifs.idmap(8), samba(7), smb.conf(5), winbindd(8)
|
|
-
|
|
+********
|
|
|
|
+getcifsacl(1), setcifsacl(1), cifs.idmap(8), samba(7), smb.conf(5), winbindd(8)
|
|
|
|
-*****************************************************************
|
|
+******
|
|
AUTHOR
|
|
-*****************************************************************
|
|
+******
|
|
+
|
|
idmapwb.so was written by Jeff Layton <jlayton@samba.org>
|
|
diff --git a/mount.cifs.rst b/mount.cifs.rst
|
|
index a81c6c4..c0f0bdb 100644
|
|
--- a/mount.cifs.rst
|
|
+++ b/mount.cifs.rst
|
|
@@ -47,7 +47,6 @@ unmounted (usually via the ``umount`` utility).
|
|
OPTIONS
|
|
*******
|
|
|
|
-
|
|
username=arg|user=arg
|
|
specifies the username to connect as. If this is not
|
|
given, then the environment variable USER is used.
|
|
@@ -84,9 +83,9 @@ credentials=filename|cred=filename
|
|
password=value
|
|
domain=value
|
|
|
|
- This is preferred over having passwords in plaintext in a shared file,
|
|
- such as ``/etc/fstab`` . Be sure to protect any credentials file
|
|
- properly.
|
|
+ This is preferred over having passwords in plaintext in a shared file,
|
|
+ such as */etc/fstab* . Be sure to protect any credentials file
|
|
+ properly.
|
|
|
|
uid=arg
|
|
sets the uid that will own all files or directories on the mounted
|
|
@@ -558,7 +557,7 @@ It's generally preferred to use forward slashes (/) as a delimiter in
|
|
service names. They are considered to be the "universal delimiter"
|
|
since they are generally not allowed to be embedded within path
|
|
components on Windows machines and the client can convert them to
|
|
-backslashes (\) unconditionally. Conversely, backslash characters are
|
|
+backslashes (\\) unconditionally. Conversely, backslash characters are
|
|
allowed by POSIX to be part of a path component, and can't be
|
|
automatically converted in the same way.
|
|
|
|
diff --git a/pam_cifscreds.rst b/pam_cifscreds.rst
|
|
index 8e8308c..4e89bfd 100644
|
|
--- a/pam_cifscreds.rst
|
|
+++ b/pam_cifscreds.rst
|
|
@@ -7,110 +7,83 @@ PAM module to manage NTLM credentials in kernel keyring
|
|
-------------------------------------------------------
|
|
:Manual section: 8
|
|
|
|
-
|
|
********
|
|
SYNOPSIS
|
|
********
|
|
|
|
-
|
|
Edit the PAM configuration files for the systems that you want to
|
|
-automatically register NTLM credentials for, e.g. /etc/pam.d/login,
|
|
-and modify as follows:
|
|
-
|
|
-
|
|
-.. code-block:: perl
|
|
+automatically register NTLM credentials for, e.g. */etc/pam.d/login*,
|
|
+and modify as follows::
|
|
|
|
...
|
|
auth substack system-auth
|
|
+++ auth optional pam_cifscreds.so
|
|
auth include postlogin
|
|
...
|
|
-
|
|
+
|
|
...
|
|
session include system-auth
|
|
+++ session optional pam_cifscreds.so domain=DOMAIN
|
|
session include postlogin
|
|
...
|
|
|
|
-
|
|
Change DOMAIN to the name of you Windows domain, or use host= as
|
|
described below.
|
|
|
|
-
|
|
***********
|
|
DESCRIPTION
|
|
***********
|
|
|
|
-
|
|
-The \ **pam_cifscreds**\ PAM module is a tool for automatically adding
|
|
+The ``pam_cifscreds`` PAM module is a tool for automatically adding
|
|
credentials (username and password) for the purpose of establishing
|
|
sessions in multiuser mounts.
|
|
|
|
When a cifs filesystem is mounted with the "multiuser" option, and does
|
|
not use krb5 authentication, it needs to be able to get the credentials
|
|
-for each user from somewhere. The \ **pam_cifscreds**\ module can be used
|
|
+for each user from somewhere. The ``pam_cifscreds`` module can be used
|
|
to provide these credentials to the kernel automatically at login.
|
|
|
|
In the session section of the PAM configuration file, the module can
|
|
either an NT domain name or a list of hostname or addresses.
|
|
|
|
-
|
|
*******
|
|
OPTIONS
|
|
*******
|
|
|
|
+``pam_cifscreds`` supports a couple options which can be set in the PAM
|
|
+configuration files. You must have one (and only one) of ``domain=`` or
|
|
+``host=``.
|
|
|
|
-\ **pam_cifscreds**\ supports a couple options which can be set in the PAM
|
|
-configuration files. You must have one (and only one) of domain= or
|
|
-host=.
|
|
-
|
|
-
|
|
-\ **debug**\
|
|
-
|
|
- Turns on some extra debug logging.
|
|
-
|
|
-
|
|
-
|
|
-\ **domain**\ =<NT domain name>
|
|
-
|
|
- Credentials will be added for the specified NT domain name.
|
|
-
|
|
-
|
|
-
|
|
-\ **host**\ =<hostname or IP address>[,...]
|
|
-
|
|
- Credentials will be added for the specified hostnames or IP addresses.
|
|
-
|
|
+debug
|
|
+ Turns on some extra debug logging.
|
|
|
|
+domain=<NT domain name>
|
|
+ Credentials will be added for the specified NT domain name.
|
|
|
|
+host=<hostname or IP address>[,...]
|
|
+ Credentials will be added for the specified hostnames or IP addresses.
|
|
|
|
*****
|
|
NOTES
|
|
*****
|
|
|
|
-
|
|
The pam_cifscreds PAM module requires a kernel built with support for
|
|
-the \ **login**\ key type. That key type was added in v3.3 in mainline Linux
|
|
+the ``login`` key type. That key type was added in v3.3 in mainline Linux
|
|
kernels.
|
|
|
|
-Since \ **pam_cifscreds**\ adds keys to the session keyring, it is highly
|
|
-recommended that one use \ **pam_keyinit**\ to ensure that a session keyring
|
|
+Since ``pam_cifscreds`` adds keys to the session keyring, it is highly
|
|
+recommended that one use ``pam_keyinit`` to ensure that a session keyring
|
|
is established at login time.
|
|
|
|
-
|
|
********
|
|
SEE ALSO
|
|
********
|
|
|
|
-
|
|
cifscreds(1), pam_keyinit(8)
|
|
|
|
-
|
|
******
|
|
AUTHOR
|
|
******
|
|
|
|
-
|
|
The pam_cifscreds PAM module was developed by Orion Poplawski
|
|
<orion@nwra.com>.
|
|
-
|
|
diff --git a/setcifsacl.rst.in b/setcifsacl.rst.in
|
|
index ea981e2..de9c758 100644
|
|
--- a/setcifsacl.rst.in
|
|
+++ b/setcifsacl.rst.in
|
|
@@ -7,179 +7,110 @@ Userspace helper to alter an ACL in a security descriptor for Common Internet Fi
|
|
------------------------------------------------------------------------------------------------
|
|
:Manual section: 1
|
|
|
|
-
|
|
********
|
|
SYNOPSIS
|
|
********
|
|
|
|
-
|
|
-setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object}
|
|
-
|
|
+ setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object}
|
|
|
|
***********
|
|
DESCRIPTION
|
|
***********
|
|
|
|
-
|
|
This tool is part of the cifs-utils suite.
|
|
|
|
-\ **setcifsacl**\ is a userspace helper program for the Linux CIFS client
|
|
-file system. It is intended to alter an ACL of a security descriptor
|
|
-for a file system object. Whether a security descriptor to be set is
|
|
+``setcifsacl`` is a userspace helper program for the Linux CIFS client
|
|
+file system. It is intended to alter an ACL of a security descriptor
|
|
+for a file system object. Whether a security descriptor to be set is
|
|
applied or not is determined by the CIFS/SMB server.
|
|
|
|
This program uses a plugin to handle the mapping of user and group
|
|
-names to SIDs. ``@pluginpath@`` should be a symlink that points to the
|
|
+names to SIDs. *@pluginpath@* should be a symlink that points to the
|
|
correct plugin to use.
|
|
|
|
-
|
|
*******
|
|
OPTIONS
|
|
*******
|
|
|
|
+-h
|
|
+ Print usage message and exit.
|
|
|
|
+-v
|
|
+ Print version number and exit.
|
|
|
|
-\ **-h**\
|
|
-
|
|
- Print usage message and exit.
|
|
-
|
|
-
|
|
-
|
|
-\ **-v**\
|
|
-
|
|
- Print version number and exit.
|
|
-
|
|
+-a
|
|
+ Add one or more ACEs to an ACL of a security descriptor. An ACE is
|
|
+ added even if the same ACE exists in the ACL.
|
|
|
|
+-D
|
|
+ Delete one or more ACEs from an ACL of a security descriptor. Entire
|
|
+ ACE has to match in an existing ACL for the listed ACEs to be deleted.
|
|
|
|
-\ **-a**\
|
|
-
|
|
- Add one or more ACEs to an ACL of a security descriptor. An ACE is
|
|
- added even if the same ACE exists in the ACL.
|
|
-
|
|
+-M
|
|
+ Modify one or more ACEs from an ACL of a security descriptor. SID and
|
|
+ type are used to match for existing ACEs to be modified with the list
|
|
+ of ACEs specified.
|
|
|
|
+-S
|
|
+ Set an ACL of security descriptor with the list of ACEs Existing ACL
|
|
+ is replaced entirely with the specified ACEs.
|
|
|
|
-\ **-D**\
|
|
-
|
|
- Delete one or more ACEs from an ACL of a security descriptor. Entire
|
|
- ACE has to match in an existing ACL for the listed ACEs to be deleted.
|
|
-
|
|
-
|
|
-
|
|
-\ **-M**\
|
|
-
|
|
- Modify one or more ACEs from an ACL of a security descriptor. SID and
|
|
- type are used to match for existing ACEs to be modified with the list
|
|
- of ACEs specified.
|
|
-
|
|
-
|
|
-
|
|
-\ **-S**\
|
|
-
|
|
- Set an ACL of security descriptor with the list of ACEs Existing ACL
|
|
- is replaced entirely with the specified ACEs.
|
|
-
|
|
- Every ACE entry starts with "ACL:" One or more ACEs are specified
|
|
- within double quotes. Multiple ACEs are separated by a comma.
|
|
-
|
|
- Following fields of an ACE can be modified with possible values:
|
|
-
|
|
-
|
|
- \ **SID**\ - Either a name or a raw SID value.
|
|
-
|
|
-
|
|
-
|
|
- \ **type**\ - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6)
|
|
-
|
|
-
|
|
-
|
|
- \ **flags**\ - OBJECT_INHERIT_FLAG (OI or 0x1), CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or
|
|
- 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or 0x10)
|
|
- or a combination/OR of these values.
|
|
-
|
|
-
|
|
-
|
|
- \ **mask**\ - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value
|
|
-
|
|
-
|
|
-
|
|
+ Every ACE entry starts with "ACL:" One or more ACEs are specified
|
|
+ within double quotes. Multiple ACEs are separated by a comma.
|
|
|
|
+ Following fields of an ACE can be modified with possible values:
|
|
|
|
+ - ``SID`` - Either a name or a raw SID value.
|
|
+ - ``type`` - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6)
|
|
+ - ``flags`` - OBJECT_INHERIT_FLAG (OI or 0x1),
|
|
+ CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI
|
|
+ or 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or
|
|
+ 0x10) or a combination/OR of these values.
|
|
+ - ``mask`` - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value.
|
|
|
|
********
|
|
EXAMPLES
|
|
********
|
|
|
|
-
|
|
Add an ACE
|
|
==========
|
|
|
|
-
|
|
-
|
|
-.. code-block:: perl
|
|
-
|
|
- setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" <file_name>
|
|
- setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" <file_name>
|
|
-
|
|
-
|
|
+ setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" <file_name>
|
|
+ setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" <file_name>
|
|
|
|
Delete an ACE
|
|
=============
|
|
|
|
-
|
|
-
|
|
-.. code-block:: perl
|
|
-
|
|
- setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name>
|
|
-
|
|
-
|
|
+ setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name>
|
|
|
|
Modify an ACE
|
|
=============
|
|
|
|
-
|
|
-
|
|
-.. code-block:: perl
|
|
-
|
|
- setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" <file_name>
|
|
-
|
|
-
|
|
+ setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" <file_name>
|
|
|
|
Set an ACL
|
|
==========
|
|
|
|
-
|
|
-
|
|
-.. code-block:: perl
|
|
-
|
|
- setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" <file_name>
|
|
-
|
|
-
|
|
-
|
|
+ setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" <file_name>
|
|
|
|
*****
|
|
NOTES
|
|
*****
|
|
|
|
-
|
|
Kernel support for getcifsacl/setcifsacl utilities was initially
|
|
introduced in the 2.6.37 kernel.
|
|
|
|
-
|
|
********
|
|
SEE ALSO
|
|
********
|
|
|
|
-
|
|
mount.cifs(8), getcifsacl(1)
|
|
|
|
-
|
|
******
|
|
AUTHOR
|
|
******
|
|
|
|
-
|
|
Shirish Pargaonkar wrote the setcifsacl program.
|
|
|
|
The Linux CIFS Mailing list is the preferred place to ask questions
|
|
regarding these programs.
|
|
-
|
|
--
|
|
2.13.7
|
|
|