1CIFS.UPCALL(8) System Administration tools CIFS.UPCALL(8)
2
6 cifs.upcall - Userspace upcall helper for Common Internet File System
7 (CIFS)
8
10 cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] {keyid}
11
13 This tool is part of the cifs-utils suite.
14 cifs.upcall is a userspace helper program for the linux CIFS client
16 filesystem. There are a number of activities that the kernel cannot
17 easily do itself. This program is a callout program that does these
18 things for the kernel and then returns the result.
19 cifs.upcall is generally intended to be run when the kernel calls
21 request-key(8) for a particular key type. While it can be run directly
22 from the command-line, it´s not generally intended to be run that way.
23
25 -c
26 This option is deprecated and is currently ignored.
27 --trust-dns|-t
29 With krb5 upcalls, the name used as the host portion of the service
30 principal defaults to the hostname portion of the UNC. This option
31 allows the upcall program to reverse resolve the network address of
32 the server in order to get the hostname.
33 This is less secure than not trusting DNS. When using this option,
35 it´s possible that an attacker could get control of DNS and trick
36 the client into mounting a different server altogether. It´s
37 preferable to instead add server principals to the KDC for every
38 possible hostname, but this option exists for cases where that
39 isn´t possible. The default is to not trust reverse hostname
40 lookups in this fashion.
41 --legacy-uid|-l
43 Traditionally, the kernel has sent only a single uid= parameter to
44 the upcall for the SPNEGO upcall that´s used to determine what
45 user's credential cache to use. This parameter is affected by the
46 uid= mount option, which also governs the ownership of files on the
47 mount.
48 Newer kernels send a creduid= option as well, which contains what
50 uid it thinks actually owns the credentials that it´s looking for.
51 At mount time, this is generally set to the real uid of the user
52 doing the mount. For multisession mounts, it's set to the fsuid of
53 the mount user. Set this option if you want cifs.upcall to use the
54 older uid= parameter instead of the creduid= parameter.
55 --version|-v
57 Print version number and exit.
58
60 cifs.upcall is designed to be called from the kernel via the
61 request-key callout program. This requires that request-key be told
62 where and how to call this program. The current cifs.upcall program
63 handles two different key types:
64 cifs.spnego
66 This keytype is for retrieving kerberos session keys
67 dns_resolver
69 This key type is for resolving hostnames into IP addresses
70 To make this program useful for CIFS, you´ll need to set up entries for
72 them in request-key.conf(5). Here´s an example of an entry for each key
73 type:
74 #OPERATION TYPE D C PROGRAM ARG1 ARG2...
76 #========= ============= = = ================================
77 create cifs.spnego * * /usr/sbin/cifs.upcall %k
78 create dns_resolver * * /usr/sbin/cifs.upcall %k
79 See request-key.conf5() for more info on each field.
81
83 request-key.conf(5), mount.cifs(8)
84
86 Igor Mammedov wrote the cifs.upcall program.
87 Jeff Layton authored this manpage.
89 The maintainer of the Linux CIFS VFS is Steve French.
91 The Linux CIFS Mailing list is the preferred place to ask questions
93 regarding these programs.
94cifs-utils 4.0 02/07/2010 CIFS.UPCALL(8)