1# SPDX-License-Identifier: GPL-2.0-only 2config CIFS 3 tristate "SMB3 and CIFS support (advanced network filesystem)" 4 depends on INET 5 select NLS 6 select CRYPTO 7 select CRYPTO_MD4 8 select CRYPTO_MD5 9 select CRYPTO_SHA256 10 select CRYPTO_SHA512 11 select CRYPTO_CMAC 12 select CRYPTO_HMAC 13 select CRYPTO_LIB_ARC4 14 select CRYPTO_AEAD2 15 select CRYPTO_CCM 16 select CRYPTO_GCM 17 select CRYPTO_ECB 18 select CRYPTO_AES 19 select CRYPTO_LIB_DES 20 select KEYS 21 select DNS_RESOLVER 22 help 23 This is the client VFS module for the SMB3 family of NAS protocols, 24 (including support for the most recent, most secure dialect SMB3.1.1) 25 as well as for earlier dialects such as SMB2.1, SMB2 and the older 26 Common Internet File System (CIFS) protocol. CIFS was the successor 27 to the original dialect, the Server Message Block (SMB) protocol, the 28 native file sharing mechanism for most early PC operating systems. 29 30 The SMB3 protocol is supported by most modern operating systems 31 and NAS appliances (e.g. Samba, Windows 10, Windows Server 2016, 32 MacOS) and even in the cloud (e.g. Microsoft Azure). 33 The older CIFS protocol was included in Windows NT4, 2000 and XP (and 34 later) as well by Samba (which provides excellent CIFS and SMB3 35 server support for Linux and many other operating systems). Use of 36 dialects older than SMB2.1 is often discouraged on public networks. 37 This module also provides limited support for OS/2 and Windows ME 38 and similar very old servers. 39 40 This module provides an advanced network file system client 41 for mounting to SMB3 (and CIFS) compliant servers. It includes 42 support for DFS (hierarchical name space), secure per-user 43 session establishment via Kerberos or NTLM or NTLMv2, RDMA 44 (smbdirect), advanced security features, per-share encryption, 45 directory leases, safe distributed caching (oplock), optional packet 46 signing, Unicode and other internationalization improvements. 47 48 In general, the default dialects, SMB3 and later, enable better 49 performance, security and features, than would be possible with CIFS. 50 Note that when mounting to Samba, due to the CIFS POSIX extensions, 51 CIFS mounts can provide slightly better POSIX compatibility 52 than SMB3 mounts. SMB2/SMB3 mount options are also 53 slightly simpler (compared to CIFS) due to protocol improvements. 54 55 If you need to mount to Samba, Azure, Macs or Windows from this machine, say Y. 56 57config CIFS_STATS2 58 bool "Extended statistics" 59 depends on CIFS 60 help 61 Enabling this option will allow more detailed statistics on SMB 62 request timing to be displayed in /proc/fs/cifs/DebugData and also 63 allow optional logging of slow responses to dmesg (depending on the 64 value of /proc/fs/cifs/cifsFYI). See Documentation/admin-guide/cifs/usage.rst 65 for more details. These additional statistics may have a minor effect 66 on performance and memory utilization. 67 68 Unless you are a developer or are doing network performance analysis 69 or tuning, say N. 70 71config CIFS_ALLOW_INSECURE_LEGACY 72 bool "Support legacy servers which use less secure dialects" 73 depends on CIFS 74 default y 75 help 76 Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have 77 additional security features, including protection against 78 man-in-the-middle attacks and stronger crypto hashes, so the use 79 of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged. 80 81 Disabling this option prevents users from using vers=1.0 or vers=2.0 82 on mounts with cifs.ko 83 84 If unsure, say Y. 85 86config CIFS_WEAK_PW_HASH 87 bool "Support legacy servers which use weaker LANMAN security" 88 depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY 89 help 90 Modern CIFS servers including Samba and most Windows versions 91 (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos) 92 security mechanisms. These hash the password more securely 93 than the mechanisms used in the older LANMAN version of the 94 SMB protocol but LANMAN based authentication is needed to 95 establish sessions with some old SMB servers. 96 97 Enabling this option allows the cifs module to mount to older 98 LANMAN based servers such as OS/2 and Windows 95, but such 99 mounts may be less secure than mounts using NTLM or more recent 100 security mechanisms if you are on a public network. Unless you 101 have a need to access old SMB servers (and are on a private 102 network) you probably want to say N. Even if this support 103 is enabled in the kernel build, LANMAN authentication will not be 104 used automatically. At runtime LANMAN mounts are disabled but 105 can be set to required (or optional) either in 106 /proc/fs/cifs (see Documentation/admin-guide/cifs/usage.rst for 107 more detail) or via an option on the mount command. This support 108 is disabled by default in order to reduce the possibility of a 109 downgrade attack. 110 111 If unsure, say N. 112 113config CIFS_UPCALL 114 bool "Kerberos/SPNEGO advanced session setup" 115 depends on CIFS 116 help 117 Enables an upcall mechanism for CIFS which accesses userspace helper 118 utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets 119 which are needed to mount to certain secure servers (for which more 120 secure Kerberos authentication is required). If unsure, say Y. 121 122config CIFS_XATTR 123 bool "CIFS extended attributes" 124 depends on CIFS 125 help 126 Extended attributes are name:value pairs associated with inodes by 127 the kernel or by users (see the attr(5) manual page for details). 128 CIFS maps the name of extended attributes beginning with the user 129 namespace prefix to SMB/CIFS EAs. EAs are stored on Windows 130 servers without the user namespace prefix, but their names are 131 seen by Linux cifs clients prefaced by the user namespace prefix. 132 The system namespace (used by some filesystems to store ACLs) is 133 not supported at this time. 134 135 If unsure, say Y. 136 137config CIFS_POSIX 138 bool "CIFS POSIX Extensions" 139 depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR 140 help 141 Enabling this option will cause the cifs client to attempt to 142 negotiate a newer dialect with servers, such as Samba 3.0.5 143 or later, that optionally can handle more POSIX like (rather 144 than Windows like) file behavior. It also enables 145 support for POSIX ACLs (getfacl and setfacl) to servers 146 (such as Samba 3.10 and later) which can negotiate 147 CIFS POSIX ACL support. If unsure, say N. 148 149config CIFS_DEBUG 150 bool "Enable CIFS debugging routines" 151 default y 152 depends on CIFS 153 help 154 Enabling this option adds helpful debugging messages to 155 the cifs code which increases the size of the cifs module. 156 If unsure, say Y. 157 158config CIFS_DEBUG2 159 bool "Enable additional CIFS debugging routines" 160 depends on CIFS_DEBUG 161 help 162 Enabling this option adds a few more debugging routines 163 to the cifs code which slightly increases the size of 164 the cifs module and can cause additional logging of debug 165 messages in some error paths, slowing performance. This 166 option can be turned off unless you are debugging 167 cifs problems. If unsure, say N. 168 169config CIFS_DEBUG_DUMP_KEYS 170 bool "Dump encryption keys for offline decryption (Unsafe)" 171 depends on CIFS_DEBUG 172 help 173 Enabling this will dump the encryption and decryption keys 174 used to communicate on an encrypted share connection on the 175 console. This allows Wireshark to decrypt and dissect 176 encrypted network captures. Enable this carefully. 177 If unsure, say N. 178 179config CIFS_DFS_UPCALL 180 bool "DFS feature support" 181 depends on CIFS 182 help 183 Distributed File System (DFS) support is used to access shares 184 transparently in an enterprise name space, even if the share 185 moves to a different server. This feature also enables 186 an upcall mechanism for CIFS which contacts userspace helper 187 utilities to provide server name resolution (host names to 188 IP addresses) which is needed in order to reconnect to 189 servers if their addresses change or for implicit mounts of 190 DFS junction points. If unsure, say Y. 191 192config CIFS_SWN_UPCALL 193 bool "SWN feature support" 194 depends on CIFS 195 help 196 The Service Witness Protocol (SWN) is used to get notifications 197 from a highly available server of resource state changes. This 198 feature enables an upcall mechanism for CIFS which contacts a 199 userspace daemon to establish the DCE/RPC connection to retrieve 200 the cluster available interfaces and resource change notifications. 201 If unsure, say Y. 202 203config CIFS_NFSD_EXPORT 204 bool "Allow nfsd to export CIFS file system" 205 depends on CIFS && BROKEN 206 help 207 Allows NFS server to export a CIFS mounted share (nfsd over cifs) 208 209config CIFS_SMB_DIRECT 210 bool "SMB Direct support" 211 depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y 212 help 213 Enables SMB Direct support for SMB 3.0, 3.02 and 3.1.1. 214 SMB Direct allows transferring SMB packets over RDMA. If unsure, 215 say Y. 216 217config CIFS_FSCACHE 218 bool "Provide CIFS client caching support" 219 depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y 220 help 221 Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data 222 to be cached locally on disk through the general filesystem cache 223 manager. If unsure, say N. 224 225config CIFS_ROOT 226 bool "SMB root file system (Experimental)" 227 depends on CIFS=y && IP_PNP 228 help 229 Enables root file system support over SMB protocol. 230 231 Most people say N here. 232