1CIFS.UPCALL(8)                                                  CIFS.UPCALL(8)
2
3
4

NAME

6       cifs.upcall  -  Userspace upcall helper for Common Internet File System
7       (CIFS)
8

SYNOPSIS

10          cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
11                 [--krb5conf=/path/to/krb5.conf|-k         /path/to/krb5.conf]
12                 [--keytab=/path/to/keytab|-K   /path/to/keytab]  [--expire|-e
13                 nsecs] {keyid}
14

DESCRIPTION

16       This tool is part of the cifs-utils suite.
17
18       cifs.upcall is a userspace helper program for  the  linux  CIFS  client
19       filesystem.  There  are  a  number of activities that the kernel cannot
20       easily do itself. This program is a callout  program  that  does  these
21       things for the kernel and then returns the result.
22
23       cifs.upcall  is  generally  intended  to  be  run when the kernel calls
24       request-key(8) for a particular key type. While it can be run  directly
25       from the command-line, it's not generally intended to be run that way.
26

OPTIONS

28       -c     This option is deprecated and is currently ignored.
29
30       --no-env-probe|-E
31              Normally,  cifs.upcall will probe the environment variable space
32              of the process that initiated the upcall in order to  fetch  the
33              value  of  $KRB5CCNAME. This can assist the program with finding
34              credential caches in non-default locations. If  this  option  is
35              set,  then  the  program  won't do this and will rely on finding
36              credcaches in the default locations specified in krb5.conf. Note
37              that  this  is  never  performed  when the uid is 0. The default
38              credcache location is always used when the uid is 0,  regardless
39              of the environment variable setting in the process.
40
41       --krb5conf|-k=/path/to/krb5.conf
42              This  option  allows administrators to set an alternate location
43              for the krb5.conf file that cifs.upcall will use.
44
45       --keytab=|-K=/path/to/keytab
46              This option allows administrators to specify a keytab file to be
47              used.  When  a user has no credential cache already established,
48              cifs.upcall will attempt to use this keytab to acquire them. The
49              default is the system-wide keytab /etc/krb5.keytab.
50
51       --trust-dns|-t
52              With krb5 upcalls, the name used as the host portion of the ser‐
53              vice principal defaults to the hostname portion of the UNC. This
54              option  allows the upcall program to reverse resolve the network
55              address of the server in order to get the hostname.
56
57              This is less secure than  not  trusting  DNS.  When  using  this
58              option,  it's possible that an attacker could get control of DNS
59              and trick the client into  mounting  a  different  server  alto‐
60              gether.  It's preferable to instead add server principals to the
61              KDC for every possible hostname,  but  this  option  exists  for
62              cases  where  that  isn't  possible. The default is to not trust
63              reverse hostname lookups in this fashion.
64
65       --legacy-uid|-l
66              Traditionally, the kernel has sent only a single uid=  parameter
67              to  the  upcall  for  the SPNEGO upcall that's used to determine
68              what user's credential cache to use.  This parameter is affected
69              by  the  uid=  mount option, which also governs the ownership of
70              files on the mount.
71
72              Newer kernels send a creduid= option  as  well,  which  contains
73              what uid it thinks actually owns the credentials that it's look‐
74              ing for. At mount time, this is generally set to the real uid of
75              the  user  doing the mount. For multisession mounts, it's set to
76              the fsuid of the  mount  user.  Set  this  option  if  you  want
77              cifs.upcall  to use the older uid= parameter instead of the cre‐
78              duid= parameter.
79
80       --expire|-e
81              Override default timeout value (600  seconds)  for  dns_resolver
82              key.
83
84       --version|-v
85              Print version number and exit.
86

CONFIGURATION FOR KEYCTL

88       cifs.upcall   is  designed  to  be  called  from  the  kernel  via  the
89       request-key callout program. This requires  that  request-key  be  told
90       where  and  how  to call this program.  The current cifs.upcall program
91       handles two different key types:
92
93       cifs.spnego
94              This keytype is for retrieving kerberos session keys
95
96       dns_resolver
97              This key type is for resolving hostnames into IP addresses. Sup‐
98              port for this key type may eventually be deprecated (see below).
99
100              To  make  this  program  useful  for CIFS, you'll need to set up
101              entries for them in request-key.conf(5). Here's an example of an
102              entry for each key type:
103
104                 #OPERATION  TYPE           D C PROGRAM ARG1 ARG2...
105                 #=========  =============  = = ================================
106                 create      cifs.spnego    * * /usr/sbin/cifs.upcall %k
107                 create      dns_resolver   * * /usr/sbin/cifs.upcall %k
108
109              See request-key.conf(5) for more info on each field.
110
111              The  keyutils  package has also started including a dns_resolver
112              handling program as well that  is  preferred  over  the  one  in
113              cifs.upcall.  If  you  are  using a keyutils version equal to or
114              greater than 1.5, you should use key.dns_resolver to handle  the
115              dns_resolver     keytype    instead    of    cifs.upcall.    See
116              key.dns_resolver(8) for more info.
117

SEE ALSO

119       request-key.conf(5), mount.cifs(8), key.dns_resolver(8)
120

AUTHOR

122       Igor Mammedov wrote the cifs.upcall program.
123
124       Jeff Layton authored this manpage.
125
126       The maintainer of the Linux CIFS VFS is Steve French.
127
128       The Linux CIFS Mailing list is the preferred  place  to  ask  questions
129       regarding these programs.
130
131
132
133
134                                                                CIFS.UPCALL(8)
Impressum