1CIFS.UPCALL(8)            System Administration tools           CIFS.UPCALL(8)
2
3
4

NAME

6       cifs.upcall - Userspace upcall helper for Common Internet File System
7       (CIFS)
8

SYNOPSIS

10       cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
11        [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
12        [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid}
13

DESCRIPTION

15       This tool is part of the cifs-utils suite.
16
17       cifs.upcall is a userspace helper program for the linux CIFS client
18       filesystem. There are a number of activities that the kernel cannot
19       easily do itself. This program is a callout program that does these
20       things for the kernel and then returns the result.
21
22       cifs.upcall is generally intended to be run when the kernel calls
23       request-key(8) for a particular key type. While it can be run directly
24       from the command-line, it´s not generally intended to be run that way.
25

OPTIONS

27       -c
28           This option is deprecated and is currently ignored.
29
30       --krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf
31           This option allows administrators to set an alternate location for
32           the krb5.conf file that cifs.upcall will use.
33
34       --keytab=/path/to/keytab|-K /path/to/keytab
35           This option allows administrators to specify a keytab file to be
36           used. When a user has no credential cache already established,
37           cifs.upcall will attempt to use this keytab to acquire them. The
38           default is the system-wide keytab /etc/krb5.keytab.
39
40       --trust-dns|-t
41           With krb5 upcalls, the name used as the host portion of the service
42           principal defaults to the hostname portion of the UNC. This option
43           allows the upcall program to reverse resolve the network address of
44           the server in order to get the hostname.
45
46           This is less secure than not trusting DNS. When using this option,
47           it´s possible that an attacker could get control of DNS and trick
48           the client into mounting a different server altogether. It´s
49           preferable to instead add server principals to the KDC for every
50           possible hostname, but this option exists for cases where that
51           isn´t possible. The default is to not trust reverse hostname
52           lookups in this fashion.
53
54       --legacy-uid|-l
55           Traditionally, the kernel has sent only a single uid= parameter to
56           the upcall for the SPNEGO upcall that´s used to determine what
57           user's credential cache to use. This parameter is affected by the
58           uid= mount option, which also governs the ownership of files on the
59           mount.
60
61           Newer kernels send a creduid= option as well, which contains what
62           uid it thinks actually owns the credentials that it´s looking for.
63           At mount time, this is generally set to the real uid of the user
64           doing the mount. For multisession mounts, it's set to the fsuid of
65           the mount user. Set this option if you want cifs.upcall to use the
66           older uid= parameter instead of the creduid= parameter.
67
68       --version|-v
69           Print version number and exit.
70

CONFIGURATION FOR KEYCTL

72       cifs.upcall is designed to be called from the kernel via the
73       request-key callout program. This requires that request-key be told
74       where and how to call this program. The current cifs.upcall program
75       handles two different key types:
76
77       cifs.spnego
78           This keytype is for retrieving kerberos session keys
79
80       dns_resolver
81           This key type is for resolving hostnames into IP addresses. Support
82           for this key type may eventually be deprecated (see below).
83
84       To make this program useful for CIFS, you´ll need to set up entries for
85       them in request-key.conf(5). Here´s an example of an entry for each key
86       type:
87
88           #OPERATION  TYPE           D C PROGRAM ARG1 ARG2...
89           #=========  =============  = = ================================
90           create      cifs.spnego    * * /usr/sbin/cifs.upcall %k
91           create      dns_resolver   * * /usr/sbin/cifs.upcall %k
92
93       See request-key.conf(5) for more info on each field.
94
95       The keyutils package has also started including a dns_resolver handling
96       program as well that is preferred over the one in cifs.upcall. If you
97       are using a keyutils version equal to or greater than 1.5, you should
98       use key.dns_resolver to handle the dns_resolver keytype instead of
99       cifs.upcall. See key.dns_resolver(8) for more info.
100

SEE ALSO

102       request-key.conf(5), mount.cifs(8), key.dns_resolver(8)
103

AUTHOR

105       Igor Mammedov wrote the cifs.upcall program.
106
107       Jeff Layton authored this manpage.
108
109       The maintainer of the Linux CIFS VFS is Steve French.
110
111       The Linux CIFS Mailing list is the preferred place to ask questions
112       regarding these programs.
113
114
115
116cifs-utils                        02/07/2010                    CIFS.UPCALL(8)
Impressum