1MOUNT.CIFS(8) MOUNT.CIFS(8)
2
3
4
6 mount.cifs - mount using the Common Internet File System (CIFS)
7
9 mount.cifs {service} {mount-point} [-o options]
10
11 This tool is part of the cifs-utils suite.
12
13 mount.cifs mounts a Linux CIFS filesystem. It is usually invoked indi‐
14 rectly by the mount(8) command when using the "-t cifs" option. This
15 command only works in Linux, and the kernel must support the cifs
16 filesystem. The CIFS protocol is the successor to the SMB protocol and
17 is supported by most Windows servers and many other commercial servers
18 and Network Attached Storage appliances as well as by the popular Open
19 Source server Samba.
20
21 The mount.cifs utility attaches the UNC name (exported network
22 resource) specified as service (using //server/share syntax, where
23 "server" is the server name or IP address and "share" is the name of
24 the share) to the local directory mount-point.
25
26 Options to mount.cifs are specified as a comma-separated list of
27 key=value pairs. It is possible to send options other than those listed
28 here, assuming that the cifs filesystem kernel module (cifs.ko) sup‐
29 ports them. Unrecognized cifs mount options passed to the cifs vfs ker‐
30 nel code will be logged to the kernel log.
31
32 mount.cifs causes the cifs vfs to launch a thread named cifsd. After
33 mounting it keeps running until the mounted resource is unmounted (usu‐
34 ally via the umount utility).
35
36 mount.cifs -V command displays the version of cifs mount helper.
37
38 modinfo cifs command displays the version of cifs module.
39
41 username=arg|user=arg
42 specifies the username to connect as. If this is not given, then
43 the environment variable USER is used.
44
45 Earlier versions of mount.cifs also allowed one to specify the
46 username in a user%password or workgroup/user or work‐
47 group/user%password to allow the password and workgroup to be
48 specified as part of the username. Support for those alternate
49 username formats is now deprecated and should no longer be used.
50 Users should use the discrete password= and domain= to specify
51 those values. While some versions of the cifs kernel module
52 accept user= as an abbreviation for this option, its use can
53 confuse the standard mount program into thinking that this is a
54 non-superuser mount. It is therefore recommended to use the full
55 username= option name.
56
57 password=arg|pass=arg
58 specifies the CIFS password. If this option is not given then
59 the environment variable PASSWD is used. If the password is not
60 specified directly or indirectly via an argument to mount,
61 mount.cifs will prompt for a password, unless the guest option
62 is specified.
63
64 Note that a password which contains the delimiter character
65 (i.e. a comma ',') will fail to be parsed correctly on the com‐
66 mand line. However, the same password defined in the PASSWD
67 environment variable or via a credentials file (see below) or
68 entered at the password prompt will be read correctly.
69
70 credentials=filename|cred=filename
71 specifies a file that contains a username and/or password and
72 optionally the name of the workgroup. The format of the file
73 is:
74
75 username=value
76 password=value
77 domain=value
78
79 This is preferred over having passwords in plaintext in a shared
80 file, such as /etc/fstab . Be sure to protect any credentials
81 file properly.
82
83 uid=arg
84 sets the uid that will own all files or directories on the
85 mounted filesystem when the server does not provide ownership
86 information. It may be specified as either a username or a
87 numeric uid. When not specified, the default is uid 0. The
88 mount.cifs helper must be at version 1.10 or higher to support
89 specifying the uid in non-numeric form. See the section on FILE
90 AND DIRECTORY OWNERSHIP AND PERMISSIONS below for more informa‐
91 tion.
92
93 forceuid
94 instructs the client to ignore any uid provided by the server
95 for files and directories and to always assign the owner to be
96 the value of the uid= option. See the section on FILE AND DIREC‐
97 TORY OWNERSHIP AND PERMISSIONS below for more information.
98
99 cruid=arg
100 sets the uid of the owner of the credentials cache. This is pri‐
101 marily useful with sec=krb5. The default is the real uid of the
102 process performing the mount. Setting this parameter directs the
103 upcall to look for a credentials cache owned by that user.
104
105 gid=arg
106 sets the gid that will own all files or directories on the
107 mounted filesystem when the server does not provide ownership
108 information. It may be specified as either a groupname or a
109 numeric gid. When not specified, the default is gid 0. The
110 mount.cifs helper must be at version 1.10 or higher to support
111 specifying the gid in non-numeric form. See the section on FILE
112 AND DIRECTORY OWNERSHIP AND PERMISSIONS below for more informa‐
113 tion.
114
115 forcegid
116 instructs the client to ignore any gid provided by the server
117 for files and directories and to always assign the owner to be
118 the value of the gid= option. See the section on FILE AND DIREC‐
119 TORY OWNERSHIP AND PERMISSIONS below for more information.
120
121 port=arg
122 sets the port number on which the client will attempt to contact
123 the CIFS server. If this value is specified, look for an exist‐
124 ing connection with this port, and use that if one exists. If
125 one doesn't exist, try to create a new connection on that port.
126 If that connection fails, return an error. If this value isn't
127 specified, look for an existing connection on port 445 or 139.
128 If no such connection exists, try to connect on port 445 first
129 and then port 139 if that fails. Return an error if both fail.
130
131 servernetbiosname=arg
132 Specify the server netbios name (RFC1001 name) to use when
133 attempting to setup a session to the server. Although rarely
134 needed for mounting to newer servers, this option is needed for
135 mounting to some older servers (such as OS/2 or Windows 98 and
136 Windows ME) since when connecting over port 139 they, unlike
137 most newer servers, do not support a default server name. A
138 server name can be up to 15 characters long and is usually
139 uppercased.
140
141 servern=arg
142 Synonym for servernetbiosname
143
144 netbiosname=arg
145 When mounting to servers via port 139, specifies the RFC1001
146 source name to use to represent the client netbios machine name
147 when doing the RFC1001 netbios session initialize.
148
149 file_mode=arg
150 If the server does not support the CIFS Unix extensions this
151 overrides the default file mode.
152
153 dir_mode=arg
154 If the server does not support the CIFS Unix extensions this
155 overrides the default mode for directories.
156
157 ip=arg|addr=arg
158 sets the destination IP address. This option is set automati‐
159 cally if the server name portion of the requested UNC name can
160 be resolved so rarely needs to be specified by the user.
161
162 domain=arg|dom=arg|workgroup=arg
163 sets the domain (workgroup) of the user.
164
165 guest don't prompt for a password.
166
167 iocharset
168 Charset used to convert local path names to and from Unicode.
169 Unicode is used by default for network path names if the server
170 supports it. If iocharset is not specified then the nls_default
171 specified during the local client kernel build will be used. If
172 server does not support Unicode, this parameter is unused.
173
174 ro mount read-only.
175
176 rw mount read-write.
177
178 setuids
179 If the CIFS Unix extensions are negotiated with the server the
180 client will attempt to set the effective uid and gid of the
181 local process on newly created files, directories, and devices
182 (create, mkdir, mknod). If the CIFS Unix Extensions are not
183 negotiated, for newly created files and directories instead of
184 using the default uid and gid specified on the the mount, cache
185 the new file's uid and gid locally which means that the uid for
186 the file can change when the inode is reloaded (or the user
187 remounts the share).
188
189 nosetuids
190 The client will not attempt to set the uid and gid on on newly
191 created files, directories, and devices (create, mkdir, mknod)
192 which will result in the server setting the uid and gid to the
193 default (usually the server uid of the user who mounted the
194 share). Letting the server (rather than the client) set the uid
195 and gid is the default. If the CIFS Unix Extensions are not
196 negotiated then the uid and gid for new files will appear to be
197 the uid (gid) of the mounter or the uid (gid) parameter speci‐
198 fied on the mount.
199
200 perm Client does permission checks (vfs_permission check of uid and
201 gid of the file against the mode and desired operation), Note
202 that this is in addition to the normal ACL check on the target
203 machine done by the server software. Client permission checking
204 is enabled by default.
205
206 noperm Client does not do permission checks. This can expose files on
207 this mount to access by other users on the local client system.
208 It is typically only needed when the server supports the CIFS
209 Unix Extensions but the UIDs/GIDs on the client and server sys‐
210 tem do not match closely enough to allow access by the user
211 doing the mount. Note that this does not affect the normal ACL
212 check on the target machine done by the server software (of the
213 server ACL against the user name provided at mount time).
214
215 dynperm
216 Instructs the server to maintain ownership and permissions in
217 memory that can't be stored on the server. This information can
218 disappear at any time (whenever the inode is flushed from the
219 cache), so while this may help make some applications work, it's
220 behavior is somewhat unreliable. See the section below on FILE
221 AND DIRECTORY OWNERSHIP AND PERMISSIONS for more information.
222
223 cache=arg
224 Cache mode. See the section below on CACHE COHERENCY for
225 details. Allowed values are:
226
227 · none - do not cache file data at all
228
229 · strict - follow the CIFS/SMB2 protocol strictly
230
231 · loose - allow loose caching semantics
232
233 The default in kernels prior to 3.7 was loose. As of kernel 3.7
234 the default is strict.
235
236 directio
237 Do not do inode data caching on files opened on this mount. This
238 precludes mmaping files on this mount. In some cases with fast
239 networks and little or no caching benefits on the client (e.g.
240 when the application is doing large sequential reads bigger than
241 page size without rereading the same data) this can provide bet‐
242 ter performance than the default behavior which caches reads
243 (readahead) and writes (writebehind) through the local Linux
244 client pagecache if oplock (caching token) is granted and held.
245 Note that direct allows write operations larger than page size
246 to be sent to the server. On some kernels this requires the
247 cifs.ko module to be built with the CIFS_EXPERIMENTAL configure
248 option.
249
250 This option is will be deprecated in 3.7. Users should use
251 cache=none instead on more recent kernels.
252
253 strictcache
254 Use for switching on strict cache mode. In this mode the client
255 reads from the cache all the time it has Oplock Level II , oth‐
256 erwise - read from the server. As for write - the client stores
257 a data in the cache in Exclusive Oplock case, otherwise - write
258 directly to the server.
259
260 This option is will be deprecated in 3.7. Users should use
261 cache=strict instead on more recent kernels.
262
263 rwpidforward
264 Forward pid of a process who opened a file to any read or write
265 operation on that file. This prevent applications like wine(1)
266 from failing on read and write if we use mandatory brlock style.
267
268 mapchars
269 Translate six of the seven reserved characters (not backslash,
270 but including the colon, question mark, pipe, asterik, greater
271 than and less than characters) to the remap range (above
272 0xF000), which also allows the CIFS client to recognize files
273 created with such characters by Windows's POSIX emulation. This
274 can also be useful when mounting to most versions of Samba
275 (which also forbids creating and opening files whose names con‐
276 tain any of these seven characters). This has no effect if the
277 server does not support Unicode on the wire. Please note that
278 the files created with mapchars mount option may not be accessi‐
279 ble if the share is mounted without that option.
280
281 nomapchars
282 (default) Do not translate any of these seven characters.
283
284 intr currently unimplemented.
285
286 nointr (default) currently unimplemented.
287
288 hard The program accessing a file on the cifs mounted file system
289 will hang when the server crashes.
290
291 soft (default) The program accessing a file on the cifs mounted file
292 system will not hang when the server crashes and will return
293 errors to the user application.
294
295 noacl Do not allow POSIX ACL operations even if server would support
296 them.
297
298 The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to
299 Samba servers version 3.0.10 and later. Setting POSIX ACLs
300 requires enabling both CIFS_XATTR and then CIFS_POSIX support in
301 the CIFS configuration options when building the cifs module.
302 POSIX ACL support can be disabled on a per mount basis by speci‐
303 fying noacl on mount.
304
305 cifsacl
306 This option is used to map CIFS/NTFS ACLs to/from Linux permis‐
307 sion bits, map SIDs to/from UIDs and GIDs, and get and set Secu‐
308 rity Descriptors.
309
310 See section on CIFS/NTFS ACL, SID/UID/GID MAPPING, SECURITY
311 DESCRIPTORS for more information.
312
313 backupuid=arg
314 File access by this user shall be done with the backup intent
315 flag set. Either a name or an id must be provided as an argu‐
316 ment, there are no default values.
317
318 See section ACCESSING FILES WITH BACKUP INTENT for more details.
319
320 backupgid=arg
321 File access by users who are members of this group shall be done
322 with the backup intent flag set. Either a name or an id must be
323 provided as an argument, there are no default values.
324
325 See section ACCESSING FILES WITH BACKUP INTENT for more details.
326
327 nocase Request case insensitive path name matching (case sensitive is
328 the default if the server supports it).
329
330 ignorecase
331 Synonym for nocase.
332
333 sec=arg
334 Security mode. Allowed values are:
335
336 · none - attempt to connection as a null user (no name)
337
338 · krb5 - Use Kerberos version 5 authentication
339
340 · krb5i - Use Kerberos authentication and forcibly enable packet
341 signing
342
343 · ntlm - Use NTLM password hashing
344
345 · ntlmi - Use NTLM password hashing and force packet signing
346
347 · ntlmv2 - Use NTLMv2 password hashing
348
349 · ntlmv2i - Use NTLMv2 password hashing and force packet signing
350
351 · ntlmssp - Use NTLMv2 password hashing encapsulated in Raw
352 NTLMSSP message
353
354 · ntlmsspi - Use NTLMv2 password hashing encapsulated in Raw
355 NTLMSSP message, and force packet signing
356
357 The default in mainline kernel versions prior to v3.8 was
358 sec=ntlm. In v3.8, the default was changed to sec=ntlmssp.
359
360 If the server requires signing during protocol negotiation, then
361 it may be enabled automatically. Packet signing may also be
362 enabled automatically if it's enabled in /proc/fs/cifs/Securi‐
363 tyFlags.
364
365 seal Request encryption at the SMB layer. Encryption is only sup‐
366 ported in SMBv3 and above. The encryption algorithm used is
367 AES-128-CCM.
368
369 nobrl Do not send byte range lock requests to the server. This is nec‐
370 essary for certain applications that break with cifs style
371 mandatory byte range locks (and most cifs servers do not yet
372 support requesting advisory byte range locks).
373
374 sfu When the CIFS Unix Extensions are not negotiated, attempt to
375 create device files and fifos in a format compatible with Ser‐
376 vices for Unix (SFU). In addition retrieve bits 10-12 of the
377 mode via the SETFILEBITS extended attribute (as SFU does). In
378 the future the bottom 9 bits of the mode mode also will be emu‐
379 lated using queries of the security descriptor (ACL). [NB:
380 requires version 1.39 or later of the CIFS VFS. To recognize
381 symlinks and be able to create symlinks in an SFU interoperable
382 form requires version 1.40 or later of the CIFS VFS kernel mod‐
383 ule.
384
385 mfsymlinks
386 Enable support for Minshall+French symlinks (see
387 http://wiki.samba.org/index.php/UNIX_Extensions#Minshall.2BFrench_symlinks).
388 This option is ignored when specified together with the sfu
389 option. Minshall+French symlinks are used even if the server
390 supports the CIFS Unix Extensions.
391
392 echo_interval=n
393 sets the interval at which echo requests are sent to the server
394 on an idling connection. This setting also affects the time
395 required for a connection to an unresponsive server to timeout.
396 Here n is the echo interval in seconds. The reconnection happens
397 at twice the value of the echo_interval set for an unresponsive
398 server. If this option is not given then the default value of
399 60 seconds is used. The minimum tunable value is 1 second and
400 maximum can go up to 600 seconds.
401
402 serverino
403 Use inode numbers (unique persistent file identifiers) returned
404 by the server instead of automatically generating temporary
405 inode numbers on the client. Although server inode numbers make
406 it easier to spot hardlinked files (as they will have the same
407 inode numbers) and inode numbers may be persistent (which is
408 useful for some software), the server does not guarantee that
409 the inode numbers are unique if multiple server side mounts are
410 exported under a single share (since inode numbers on the
411 servers might not be unique if multiple filesystems are mounted
412 under the same shared higher level directory). Note that not all
413 servers support returning server inode numbers, although those
414 that support the CIFS Unix Extensions, and Windows 2000 and
415 later servers typically do support this (although not necessar‐
416 ily on every local server filesystem). Parameter has no effect
417 if the server lacks support for returning inode numbers or
418 equivalent. This behavior is enabled by default.
419
420 noserverino
421 Client generates inode numbers itself rather than using the
422 actual ones from the server.
423
424 See section INODE NUMBERS for more information.
425
426 nounix Disable the CIFS Unix Extensions for this mount. This can be
427 useful in order to turn off multiple settings at once. This
428 includes POSIX acls, POSIX locks, POSIX paths, symlink support
429 and retrieving uids/gids/mode from the server. This can also be
430 useful to work around a bug in a server that supports Unix
431 Extensions.
432
433 See section INODE NUMBERS for more information.
434
435 nouser_xattr
436 Do not allow getfattr/setfattr to get/set xattrs, even if server
437 would support it otherwise. The default is for xattr support to
438 be enabled.
439
440 rsize=bytes
441 Maximum amount of data that the kernel will request in a read
442 request in bytes. Prior to kernel 3.2.0, the default was 16k,
443 and the maximum size was limited by the CIFSMaxBufSize module
444 parameter. As of kernel 3.2.0, the behavior varies according to
445 whether POSIX extensions are enabled on the mount and the server
446 supports large POSIX reads. If they are, then the default is 1M,
447 and the maximum is 16M. If they are not supported by the server,
448 then the default is 60k and the maximum is around 127k. The rea‐
449 son for the 60k is because it's the maximum size read that win‐
450 dows servers can fill. Note that this value is a maximum, and
451 the client may settle on a smaller size to accommodate what the
452 server supports. In kernels prior to 3.2.0, no negotiation is
453 performed.
454
455 wsize=bytes
456 Maximum amount of data that the kernel will send in a write
457 request in bytes. Prior to kernel 3.0.0, the default and maximum
458 was 57344 (14 * 4096 pages). As of 3.0.0, the default depends on
459 whether the client and server negotiate large writes via POSIX
460 extensions. If they do, then the default is 1M, and the maximum
461 allowed is 16M. If they do not, then the default is 65536 and
462 the maximum allowed is 131007. Note that this value is just a
463 starting point for negotiation in 3.0.0 and up. The client and
464 server may negotiate this size downward according to the
465 server's capabilities. In kernels prior to 3.0.0, no negotiation
466 is performed. It can end up with an existing superblock if this
467 value isn't specified or it's greater or equal than the existing
468 one.
469
470 fsc Enable local disk caching using FS-Cache for CIFS. This option
471 could be useful to improve performance on a slow link, heavily
472 loaded server and/or network where reading from the disk is
473 faster than reading from the server (over the network). This
474 could also impact the scalability positively as the number of
475 calls to the server are reduced. But, be warned that local
476 caching is not suitable for all workloads, for e.g., read-once
477 type workloads. So, you need to consider carefully the situa‐
478 tion/workload before using this option. Currently, local disk
479 caching is enabled for CIFS files opened as read-only.
480
481 NOTE: This feature is available only in the recent kernels that
482 have been built with the kernel config option CON‐
483 FIG_CIFS_FSCACHE. You also need to have cachefilesd daemon
484 installed and running to make the cache operational.
485
486 multiuser
487 Map user accesses to individual credentials when accessing the
488 server. By default, CIFS mounts only use a single set of user
489 credentials (the mount credentials) when accessing a share. With
490 this option, the client instead creates a new session with the
491 server using the user's credentials whenever a new user accesses
492 the mount. Further accesses by that user will also use those
493 credentials. Because the kernel cannot prompt for passwords,
494 multiuser mounts are limited to mounts using sec= options that
495 don't require passwords.
496
497 With this change, it's feasible for the server to handle permis‐
498 sions enforcement, so this option also implies noperm . Further‐
499 more, when unix extensions aren't in use and the administrator
500 has not overridden ownership using the uid= or gid= options,
501 ownership of files is presented as the current user accessing
502 the share.
503
504 actimeo=arg
505 The time (in seconds) that the CIFS client caches attributes of
506 a file or directory before it requests attribute information
507 from a server. During this period the changes that occur on the
508 server remain undetected until the client checks the server
509 again.
510
511 By default, the attribute cache timeout is set to 1 second. This
512 means more frequent on-the-wire calls to the server to check
513 whether attributes have changed which could impact performance.
514 With this option users can make a tradeoff between performance
515 and cache metadata correctness, depending on workload needs.
516 Shorter timeouts mean better cache coherency, but frequent
517 increased number of calls to the server. Longer timeouts mean a
518 reduced number of calls to the server but looser cache
519 coherency. The actimeo value is a positive integer that can hold
520 values between 0 and a maximum value of 2^30 * HZ (frequency of
521 timer interrupt) setting.
522
523 noposixpaths
524 If unix extensions are enabled on a share, then the client will
525 typically allow filenames to include any character besides '/'
526 in a pathname component, and will use forward slashes as a path‐
527 name delimiter. This option prevents the client from attempting
528 to negotiate the use of posix-style pathnames to the server.
529
530 posixpaths
531 Inverse of noposixpaths .
532
533 prefixpath=arg
534 It's possible to mount a subdirectory of a share. The preferred
535 way to do this is to append the path to the UNC when mounting.
536 However, it's also possible to do the same by setting this
537 option and providing the path there.
538
539 vers=arg
540 SMB protocol version. Allowed values are:
541
542 · 1.0 - The classic CIFS/SMBv1 protocol.
543
544 · 2.0 - The SMBv2.002 protocol. This was initially introduced in
545 Windows Vista Service Pack 1, and Windows Server 2008. Note
546 that the initial release version of Windows Vista spoke a
547 slightly different dialect (2.000) that is not supported.
548
549 · 2.1 - The SMBv2.1 protocol that was introduced in Microsoft
550 Windows 7 and Windows Server 2008R2.
551
552 · 3.0 - The SMBv3.0 protocol that was introduced in Microsoft
553 Windows 8 and Windows Server 2012.
554
555 · 3.1.1 or 3.11 - The SMBv3.1.1 protocol that was introduced in
556 Microsoft Windows Server 2016.
557
558 Note too that while this option governs the protocol version
559 used, not all features of each version are available.
560
561 The default since v4.13.5 is for the client and server to nego‐
562 tiate the highest possible version greater than or equal to 2.1.
563 In kernels prior to v4.13, the default was 1.0. For kernels
564 between v4.13 and v4.13.5 the default is 3.0.
565
566 --verbose
567 Print additional debugging information for the mount. Note that
568 this parameter must be specified before the -o . For example:
569
570 mount -t cifs //server/share /mnt --verbose -o user=username
571
573 It's generally preferred to use forward slashes (/) as a delimiter in
574 service names. They are considered to be the "universal delimiter"
575 since they are generally not allowed to be embedded within path compo‐
576 nents on Windows machines and the client can convert them to back‐
577 slashes () unconditionally. Conversely, backslash characters are
578 allowed by POSIX to be part of a path component, and can't be automati‐
579 cally converted in the same way.
580
581 mount.cifs will attempt to convert backslashes to forward slashes where
582 it's able to do so, but it cannot do so in any path component following
583 the sharename.
584
586 When Unix Extensions are enabled, we use the actual inode number pro‐
587 vided by the server in response to the POSIX calls as an inode number.
588
589 When Unix Extensions are disabled and serverino mount option is enabled
590 there is no way to get the server inode number. The client typically
591 maps the server-assigned UniqueID onto an inode number.
592
593 Note that the UniqueID is a different value from the server inode num‐
594 ber. The UniqueID value is unique over the scope of the entire server
595 and is often greater than 2 power 32. This value often makes programs
596 that are not compiled with LFS (Large File Support), to trigger a glibc
597 EOVERFLOW error as this won't fit in the target structure field. It is
598 strongly recommended to compile your programs with LFS support (i.e.
599 with -D_FILE_OFFSET_BITS=64) to prevent this problem. You can also use
600 noserverino mount option to generate inode numbers smaller than 2 power
601 32 on the client. But you may not be able to detect hardlinks properly.
602
604 With a network filesystem such as CIFS or NFS, the client must contend
605 with the fact that activity on other clients or the server could change
606 the contents or attributes of a file without the client being aware of
607 it. One way to deal with such a problem is to mandate that all file
608 accesses go to the server directly. This is performance prohibitive
609 however, so most protocols have some mechanism to allow the client to
610 cache data locally.
611
612 The CIFS protocol mandates (in effect) that the client should not cache
613 file data unless it holds an opportunistic lock (aka oplock) or a
614 lease. Both of these entities allow the client to guarantee certain
615 types of exclusive access to a file so that it can access its contents
616 without needing to continually interact with the server. The server
617 will call back the client when it needs to revoke either of them and
618 allow the client a certain amount of time to flush any cached data.
619
620 The cifs client uses the kernel's pagecache to cache file data. Any I/O
621 that's done through the pagecache is generally page-aligned. This can
622 be problematic when combined with byte-range locks as Windows' locking
623 is mandatory and can block reads and writes from occurring.
624
625 cache=none means that the client never utilizes the cache for normal
626 reads and writes. It always accesses the server directly to satisfy a
627 read or write request.
628
629 cache=strict means that the client will attempt to follow the CIFS/SMB2
630 protocol strictly. That is, the cache is only trusted when the client
631 holds an oplock. When the client does not hold an oplock, then the
632 client bypasses the cache and accesses the server directly to satisfy a
633 read or write request. By doing this, the client avoids problems with
634 byte range locks. Additionally, byte range locks are cached on the
635 client when it holds an oplock and are "pushed" to the server when that
636 oplock is recalled.
637
638 cache=loose allows the client to use looser protocol semantics which
639 can sometimes provide better performance at the expense of cache
640 coherency. File access always involves the pagecache. When an oplock or
641 lease is not held, then the client will attempt to flush the cache soon
642 after a write to a file. Note that that flush does not necessarily
643 occur before a write system call returns.
644
645 In the case of a read without holding an oplock, the client will
646 attempt to periodically check the attributes of the file in order to
647 ascertain whether it has changed and the cache might no longer be
648 valid. This mechanism is much like the one that NFSv2/3 use for cache
649 coherency, but it particularly problematic with CIFS. Windows is quite
650 "lazy" with respect to updating the LastWriteTime field that the client
651 uses to verify this. The effect is that cache=loose can cause data cor‐
652 ruption when multiple readers and writers are working on the same
653 files.
654
655 Because of this, when multiple clients are accessing the same set of
656 files, then cache=strict is recommended. That helps eliminate problems
657 with cache coherency by following the CIFS/SMB2 protocols more
658 strictly.
659
660 Note too that no matter what caching model is used, the client will
661 always use the pagecache to handle mmap'ed files. Writes to mmap'ed
662 files are only guaranteed to be flushed to the server when msync() is
663 called, or on close().
664
665 The default in kernels prior to 3.7 was loose. As of 3.7, the default
666 is strict.
667
669 This option is used to work with file objects which posses Security
670 Descriptors and CIFS/NTFS ACL instead of UID, GID, file permission
671 bits, and POSIX ACL as user authentication model. This is the most com‐
672 mon authentication model for CIFS servers and is the one used by Win‐
673 dows.
674
675 Support for this requires both CIFS_XATTR and CIFS_ACL support in the
676 CIFS configuration options when building the cifs module.
677
678 A CIFS/NTFS ACL is mapped to file permission bits using an algorithm
679 specified in the following Microsoft TechNet document:
680
681 http://technet.microsoft.com/en-us/library/bb463216.aspx
682
683 In order to map SIDs to/from UIDs and GIDs, the following is required:
684
685 · a kernel upcall to the cifs.idmap utility set up via
686 request-key.conf(5)
687
688 · winbind support configured via nsswitch.conf(5) and smb.conf(5)
689
690 Please refer to the respective manpages of cifs.idmap(8) and win‐
691 bindd(8) for more information.
692
693 Security descriptors for a file object can be retrieved and set
694 directly using extended attribute named system.cifs_acl. The security
695 descriptors presented via this interface are "raw" blobs of data and
696 need a userspace utility to either parse and format or to assemble it
697 such as getcifsacl(1) and setcifsacl(1) respectively.
698
699 Some of the things to consider while using this mount option:
700
701 · There may be an increased latency when handling metadata due to addi‐
702 tional requests to get and set security descriptors.
703
704 · The mapping between a CIFS/NTFS ACL and POSIX file permission bits is
705 imperfect and some ACL information may be lost in the translation.
706
707 · If either upcall to cifs.idmap is not setup correctly or winbind is
708 not configured and running, ID mapping will fail. In that case uid
709 and gid will default to either to those values of the share or to the
710 values of uid and/or gid mount options if specified.
711
713 For an user on the server, desired access to a file is determined by
714 the permissions and rights associated with that file. This is typically
715 accomplished using ownership and ACL. For a user who does not have
716 access rights to a file, it is still possible to access that file for a
717 specific or a targeted purpose by granting special rights. One of the
718 specific purposes is to access a file with the intent to either backup
719 or restore i.e. backup intent. The right to access a file with the
720 backup intent can typically be granted by making that user a part of
721 the built-in group Backup Operators. Thus, when this user attempts to
722 open a file with the backup intent, open request is sent by setting the
723 bit FILE_OPEN_FOR_BACKUP_INTENT as one of the CreateOptions.
724
725 As an example, on a Windows server, a user named testuser, cannot open
726 this file with such a security descriptor:
727
728 REVISION:0x1
729 CONTROL:0x9404
730 OWNER:Administrator
731 GROUP:Domain Users
732 ACL:Administrator:ALLOWED/0x0/FULL
733
734 But the user testuser, if it becomes part of the Backup Operators
735 group, can open the file with the backup intent.
736
737 Any user on the client side who can authenticate as such a user on the
738 server, can access the files with the backup intent. But it is desir‐
739 able and preferable for security reasons amongst many, to restrict this
740 special right.
741
742 The mount option backupuid is used to restrict this special right to a
743 user which is specified by either a name or an id. The mount option
744 backupgid is used to restrict this special right to the users in a
745 group which is specified by either a name or an id. Only users matching
746 either backupuid or backupgid shall attempt to access files with backup
747 intent. These two mount options can be used together.
748
750 The core CIFS protocol does not provide unix ownership information or
751 mode for files and directories. Because of this, files and directories
752 will generally appear to be owned by whatever values the uid= or gid=
753 options are set, and will have permissions set to the default file_mode
754 and dir_mode for the mount. Attempting to change these values via
755 chmod/chown will return success but have no effect.
756
757 When the client and server negotiate unix extensions, files and direc‐
758 tories will be assigned the uid, gid, and mode provided by the server.
759 Because CIFS mounts are generally single-user, and the same credentials
760 are used no matter what user accesses the mount, newly created files
761 and directories will generally be given ownership corresponding to
762 whatever credentials were used to mount the share.
763
764 If the uid's and gid's being used do not match on the client and
765 server, the forceuid and forcegid options may be helpful. Note however,
766 that there is no corresponding option to override the mode. Permissions
767 assigned to a file when forceuid or forcegid are in effect may not
768 reflect the the real permissions.
769
770 When unix extensions are not negotiated, it's also possible to emulate
771 them locally on the server using the dynperm mount option. When this
772 mount option is in effect, newly created files and directories will
773 receive what appear to be proper permissions. These permissions are not
774 stored on the server however and can disappear at any time in the
775 future (subject to the whims of the kernel flushing out the inode
776 cache). In general, this mount option is discouraged.
777
778 It's also possible to override permission checking on the client alto‐
779 gether via the noperm option. Server-side permission checks cannot be
780 overridden. The permission checks done by the server will always corre‐
781 spond to the credentials used to mount the share, and not necessarily
782 to the user who is accessing the share.
783
785 The variable USER may contain the username of the person to be used to
786 authenticate to the server. The variable can be used to set both user‐
787 name and password by using the format username%password.
788
789 The variable PASSWD may contain the password of the person using the
790 client.
791
792 The variable PASSWD_FILE may contain the pathname of a file to read the
793 password from. A single line of input is read and used as the password.
794
796 This command may be used only by root, unless installed setuid, in
797 which case the noexec and nosuid mount flags are enabled. When
798 installed as a setuid program, the program follows the conventions set
799 forth by the mount program for user mounts, with the added restriction
800 that users must be able to chdir() into the mountpoint prior to the
801 mount in order to be able to mount onto it.
802
803 Some samba client tools like smbclient(8) honour client-side configura‐
804 tion parameters present in smb.conf. Unlike those client tools,
805 mount.cifs ignores smb.conf completely.
806
808 The primary mechanism for making configuration changes and for reading
809 debug information for the cifs vfs is via the Linux /proc filesystem.
810 In the directory /proc/fs/cifs are various configuration files and
811 pseudo files which can display debug information. There are additional
812 startup options such as maximum buffer size and number of buffers which
813 only may be set when the kernel cifs vfs (cifs.ko module) is loaded.
814 These can be seen by running the modinfo utility against the file
815 cifs.ko which will list the options that may be passed to cifs during
816 module installation (device driver load). For more information see the
817 kernel file fs/cifs/README.
818
820 Mounting using the CIFS URL specification is currently not supported.
821
822 The credentials file does not handle usernames or passwords with lead‐
823 ing space.
824
825 Note that the typical response to a bug report is a suggestion to try
826 the latest version first. So please try doing that first, and always
827 include which versions you use of relevant software when reporting bugs
828 (minimum: mount.cifs (try mount.cifs -V), kernel (see /proc/version)
829 and server type you are trying to contact.
830
832 This man page is correct for version 1.74 of the cifs vfs filesystem
833 (roughly Linux kernel 3.0).
834
836 cifs.upcall(8), getcifsacl(1), setcifsacl(1)
837
838 Documentation/filesystems/cifs.txt and fs/cifs/README in the Linux ker‐
839 nel source tree may contain additional options and information.
840
842 Steve French
843
844 The maintainer of the Linux cifs vfs and the userspace tool mount.cifs
845 is Steve French. The Linux CIFS Mailing list is the preferred place to
846 ask questions regarding these programs.
847
848
849
850
851 MOUNT.CIFS(8)