1CIFS.UPCALL(8) CIFS.UPCALL(8)
2
6 cifs.upcall - Userspace upcall helper for Common Internet File System
7 (CIFS)
8
10 cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
11 [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
12 [--keytab=/path/to/keytab|-K /path/to/keytab] [--expire|-e
13 nsecs] {keyid}
14
16 This tool is part of the cifs-utils suite.
17 cifs.upcall is a userspace helper program for the linux CIFS client
19 filesystem. There are a number of activities that the kernel cannot
20 easily do itself. This program is a callout program that does these
21 things for the kernel and then returns the result.
22 cifs.upcall is generally intended to be run when the kernel calls re‐
24 quest-key(8) for a particular key type. While it can be run directly
25 from the command-line, it's not generally intended to be run that way.
26
28 -c This option is deprecated and is currently ignored.
29 --no-env-probe|-E
31 Normally, cifs.upcall will probe the environment variable space
32 of the process that initiated the upcall in order to fetch the
33 value of $KRB5CCNAME. This can assist the program with finding
34 credential caches in non-default locations. If this option is
35 set, then the program won't do this and will rely on finding
36 credcaches in the default locations specified in krb5.conf. Note
37 that this is never performed when the uid is 0. The default
38 credcache location is always used when the uid is 0, regardless
39 of the environment variable setting in the process.
40 --krb5conf|-k=/path/to/krb5.conf
42 This option allows administrators to set an alternate location
43 for the krb5.conf file that cifs.upcall will use.
44 --keytab=|-K=/path/to/keytab
46 This option allows administrators to specify a keytab file to be
47 used. When a user has no credential cache already established,
48 cifs.upcall will attempt to use this keytab to acquire them. The
49 default is the system-wide keytab /etc/krb5.keytab.
50 --trust-dns|-t
52 With krb5 upcalls, the name used as the host portion of the ser‐
53 vice principal defaults to the hostname portion of the UNC. This
54 option allows the upcall program to reverse resolve the network
55 address of the server in order to get the hostname.
56 This is less secure than not trusting DNS. When using this op‐
58 tion, it's possible that an attacker could get control of DNS
59 and trick the client into mounting a different server alto‐
60 gether. It's preferable to instead add server principals to the
61 KDC for every possible hostname, but this option exists for
62 cases where that isn't possible. The default is to not trust re‐
63 verse hostname lookups in this fashion.
64 --legacy-uid|-l
66 Traditionally, the kernel has sent only a single uid= parameter
67 to the upcall for the SPNEGO upcall that's used to determine
68 what user's credential cache to use. This parameter is affected
69 by the uid= mount option, which also governs the ownership of
70 files on the mount.
71 Newer kernels send a creduid= option as well, which contains
73 what uid it thinks actually owns the credentials that it's look‐
74 ing for. At mount time, this is generally set to the real uid of
75 the user doing the mount. For multisession mounts, it's set to
76 the fsuid of the mount user. Set this option if you want
77 cifs.upcall to use the older uid= parameter instead of the cre‐
78 duid= parameter.
79 --expire|-e
81 Override default timeout value (600 seconds) for dns_resolver
82 key.
83 --version|-v
85 Print version number and exit.
86
88 GSS_USE_PROXY="yes"
89 Enable usage of gssproxy for credential retrieval. This includes
90 keytab based client initiation as well as (Resource Based) Con‐
91 strained Delegation. See gssproxy-mech(8).
92
94 cifs.upcall is designed to be called from the kernel via the re‐
95 quest-key callout program. This requires that request-key be told where
96 and how to call this program. The current cifs.upcall program handles
97 two different key types:
98 cifs.spnego
100 This keytype is for retrieving kerberos session keys
101 dns_resolver
103 This key type is for resolving hostnames into IP addresses. Sup‐
104 port for this key type may eventually be deprecated (see below).
105 To make this program useful for CIFS, you'll need to set up en‐
107 tries for them in request-key.conf(5). Here's an example of an
108 entry for each key type:
109 #OPERATION TYPE D C PROGRAM ARG1 ARG2...
111 #========= ============= = = ================================
112 create cifs.spnego * * /usr/sbin/cifs.upcall %k
113 create dns_resolver * * /usr/sbin/cifs.upcall %k
114 See request-key.conf(5) for more info on each field.
116 The keyutils package has also started including a dns_resolver
118 handling program as well that is preferred over the one in
119 cifs.upcall. If you are using a keyutils version equal to or
120 greater than 1.5, you should use key.dns_resolver to handle the
121 dns_resolver keytype instead of cifs.upcall. See key.dns_re‐
122 solver(8) for more info.
123
125 request-key.conf(5), mount.cifs(8), key.dns_resolver(8)
126
128 Igor Mammedov wrote the cifs.upcall program.
129 Jeff Layton authored this manpage.
131 The maintainer of the Linux CIFS VFS is Steve French.
133 The Linux CIFS Mailing list is the preferred place to ask questions re‐
135 garding these programs.
136 CIFS.UPCALL(8)