diff options
| -rw-r--r-- | Makefile.am | 65 | ||||
| -rw-r--r-- | cifs.idmap.pod.in | 100 | ||||
| -rw-r--r-- | cifs.idmap.rst.in | 134 | ||||
| -rw-r--r-- | cifs.upcall.pod.in | 147 | ||||
| -rw-r--r-- | cifs.upcall.rst.in | 190 | ||||
| -rw-r--r-- | cifscreds.pod | 95 | ||||
| -rw-r--r-- | cifscreds.rst | 129 | ||||
| -rw-r--r-- | configure.ac | 10 | ||||
| -rw-r--r-- | getcifsacl.pod.in | 60 | ||||
| -rw-r--r-- | getcifsacl.rst.in | 86 | ||||
| -rw-r--r-- | idmapwb.pod.in | 26 | ||||
| -rw-r--r-- | idmapwb.rst.in | 37 | ||||
| -rw-r--r-- | mount.cifs.pod | 933 | ||||
| -rw-r--r-- | mount.cifs.rst | 860 | ||||
| -rw-r--r-- | pam_cifscreds.pod | 84 | ||||
| -rw-r--r-- | pam_cifscreds.rst | 116 | ||||
| -rw-r--r-- | setcifsacl.pod.in | 117 | ||||
| -rw-r--r-- | setcifsacl.rst.in | 185 |
18 files changed, 1769 insertions, 1605 deletions
diff --git a/Makefile.am b/Makefile.am index 559ce08..30658e3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -6,7 +6,7 @@ root_sbin_PROGRAMS = mount.cifs mount_cifs_SOURCES = mount.cifs.c mtab.c resolve_host.c util.c mount_cifs_LDADD = $(LIBCAP) $(CAPNG_LDADD) $(RT_LDADD) include_HEADERS = cifsidmap.h -pod_man_pages = mount.cifs.8 +rst_man_pages = mount.cifs.8 # # Generate man pages troff source from POD format @@ -14,25 +14,14 @@ pod_man_pages = mount.cifs.8 man_MANS= -POD2MAN = pod2man -s $$(echo $@ | sed 's,.*\([1-9]\)$$,\1,' ) \ - -c 'System Administration Tools' -u -r '' --stderr $< $@ - -%.1: %.pod - $(POD2MAN) -%.2: %.pod - $(POD2MAN) -%.3: %.pod - $(POD2MAN) -%.4: %.pod - $(POD2MAN) -%.5: %.pod - $(POD2MAN) -%.6: %.pod - $(POD2MAN) -%.7: %.pod - $(POD2MAN) -%.8: %.pod - $(POD2MAN) +SUFFIXES = .rst .1 .8 + +RST2MAN = rst2man --syntax-highlight=none $< $@ + +.rst.1: + $(RST2MAN) +.rst.8: + $(RST2MAN) CLEANFILES = bin_PROGRAMS = @@ -42,12 +31,12 @@ if CONFIG_CIFSUPCALL sbin_PROGRAMS += cifs.upcall cifs_upcall_SOURCES = cifs.upcall.c data_blob.c asn1.c spnego.c cifs_upcall_LDADD = -ltalloc -lkeyutils $(KRB5_LDADD) $(CAPNG_LDADD) -pod_man_pages += cifs.upcall.8 +rst_man_pages += cifs.upcall.8 # # Fix the pathnames in manpages. To prevent @label@ being replaced by m4, we # need to obfuscate the LHS of the regex (hence the trivial one character set). # -cifs.upcall.pod: cifs.upcall.pod.in +cifs.upcall.rst: cifs.upcall.rst.in $(SED) 's,[@]sbindir@,$(sbindir),' $(srcdir)/$@.in > $@-t && mv $@-t $@ endif @@ -56,7 +45,7 @@ bin_PROGRAMS += cifscreds cifscreds_SOURCES = cifscreds.c cifskey.c resolve_host.c util.c cifscreds_LDADD = -lkeyutils -pod_man_pages += cifscreds.1 +rst_man_pages += cifscreds.1 endif @@ -64,9 +53,9 @@ if CONFIG_CIFSIDMAP sbin_PROGRAMS += cifs.idmap cifs_idmap_SOURCES = cifs.idmap.c idmap_plugin.c cifs_idmap_LDADD = -lkeyutils -ldl -pod_man_pages += cifs.idmap.8 -CLEANFILES += cifs.idmap.pod -cifs.idmap.pod: cifs.idmap.pod.in +rst_man_pages += cifs.idmap.8 +CLEANFILES += cifs.idmap.rst +cifs.idmap.rst: cifs.idmap.rst.in $(SED) -e 's,[@]sbindir@,$(sbindir),' -e 's,[@]pluginpath@,$(pluginpath),' $(srcdir)/$@.in > $@-t && mv $@-t $@ endif @@ -75,18 +64,18 @@ bin_PROGRAMS += getcifsacl getcifsacl_SOURCES = getcifsacl.c idmap_plugin.c getcifsacl_LDADD = -ldl -pod_man_pages += getcifsacl.1 -CLEANFILES += getcifsacl.pod -getcifsacl.pod: getcifsacl.pod.in +rst_man_pages += getcifsacl.1 +CLEANFILES += getcifsacl.rst +getcifsacl.rst: getcifsacl.rst.in $(SED) 's,[@]pluginpath@,$(pluginpath),' $(srcdir)/$@.in > $@-t && mv $@-t $@ bin_PROGRAMS += setcifsacl setcifsacl_SOURCES = setcifsacl.c idmap_plugin.c setcifsacl_LDADD = -ldl -pod_man_pages += setcifsacl.1 -CLEANFILES += setcifsacl.pod -setcifsacl.pod: setcifsacl.pod.in +rst_man_pages += setcifsacl.1 +CLEANFILES += setcifsacl.rst +setcifsacl.rst: setcifsacl.rst.in $(SED) 's,[@]pluginpath@,$(pluginpath),' $(srcdir)/$@.in > $@-t && mv $@-t $@ endif @@ -96,23 +85,23 @@ plugin_PROGRAMS = idmapwb.so idmapwb.so: idmapwb.c $(CC) $(DEFS) $(CFLAGS) $(AM_CFLAGS) $(WBCLIENT_CFLAGS) $(LDFLAGS) -shared -fpic -o $@ $+ $(WBCLIENT_LIBS) -pod_man_pages += idmapwb.8 -CLEANFILES += idmapwb.pod -idmapwb.pod: idmapwb.pod.in +rst_man_pages += idmapwb.8 +CLEANFILES += idmapwb.rst +idmapwb.rst: idmapwb.rst.in $(SED) 's,[@]pluginpath@,$(pluginpath),' $(srcdir)/$@.in > $@-t && mv $@-t $@ endif if CONFIG_PAM pam_PROGRAMS = pam_cifscreds.so -pod_man_pages += pam_cifscreds.8 +rst_man_pages += pam_cifscreds.8 pam_cifscreds.so: pam_cifscreds.c cifskey.c resolve_host.c util.c $(CC) $(DEFS) $(CFLAGS) $(AM_CFLAGS) $(LDFLAGS) -shared -fpic -o $@ $+ -lpam -lkeyutils endif if CONFIG_MAN -man_MANS += $(pod_man_pages) -CLEANFILES += $(pod_man_pages) +man_MANS += $(rst_man_pages) +CLEANFILES += $(rst_man_pages) endif SUBDIRS = contrib diff --git a/cifs.idmap.pod.in b/cifs.idmap.pod.in deleted file mode 100644 index 9ff92c2..0000000 --- a/cifs.idmap.pod.in +++ /dev/null @@ -1,100 +0,0 @@ -# turn into a manpage with the following command: -# -# pod2man -s 1 -u -c '' -r '' --stderr cifs.idmap.pod cifs.idmap.8 -# - -=head1 NAME - -cifs.idmap - Userspace helper for mapping ids for Common Internet File System (CIFS) - -=head1 SYNOPSIS - -cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid} - -=head1 DESCRIPTION - -This tool is part of the cifs-utils suite. - -B<cifs.idmap> is a userspace helper program for the linux CIFS client -filesystem. There are a number of activities that the kernel cannot -easily do itself. This program is a callout program that does these -things for the kernel and then returns the result. - -B<cifs.idmap> is generally intended to be run when the kernel calls -L<request-key(8)> for a particular key type. While it can be run -directly from the command-line, it is not generally intended to be run -that way. - -This program is only called if a share is mounted with the B<cifsacl> -mount option. The kernel will only upcall to do this conversion if -that mount option is specified. - -B<cifs.idmap> relies on a plugin to handle the ID mapping. If it can't -find the plugin then it will not work properly. The plugin (or a -symlink to it) must be at @pluginpath@. - -In the case where B<cifs.idmap> or the plugin are unavailable, file -objects in a mounted share are assigned uid and gid of the credentials -of the process that mounted the share. It is strongly recomemended to -use mount options of uid and gid to specify a default uid and gid to -map owner SIDs and group SIDs in this situation. - -=head1 OPTIONS - -=over - -=item B<--help|-h> - -Print the usage message and exit. - -=item B<--timeout|-t> - -Set the expiration timer, in seconds on the key. The default is 600 -seconds (10 minutes). Setting this to 0 will cause the key to never -expire. - -=item B<--version|-v> - -Print version number and exit. - -=back - -=head1 CONFIGURATION FOR KEYCTL - -B<cifs.idmap> is designed to be called from the kernel via the -request-key callout program. This requires that request-key be told -where and how to call this program. Currently B<cifs.idmap> handles a -key type of: - -=over - -=item B<cifs.idmap> - -This keytype is for mapping a SID to either an uid or a gid - -=back - -To make this program useful for CIFS, you will need to set up entry for it in -L<request-key.conf(5)>. Here is an example of an entry for this key type: - - #OPERATION TYPE D C PROGRAM ARG1 ARG2... - #========= ============= = = ================================ - create cifs.idmap * * @sbindir@/cifs.idmap %k - -See L<request-key.conf(5)> for more info on each field. - -=head1 NOTES - -Support for upcalls to cifs.idmap was initially introduced in the 3.0 -kernel. - -=head1 SEE ALSO - -L<request-key.conf(5)>, L<mount.cifs(8)> - -=head1 AUTHOR - -Shirish Pargaonkar wrote the cifs.idmap program. - -The Linux CIFS Mailing list is the preferred place to ask questions -regarding these programs. diff --git a/cifs.idmap.rst.in b/cifs.idmap.rst.in new file mode 100644 index 0000000..91b585e --- /dev/null +++ b/cifs.idmap.rst.in @@ -0,0 +1,134 @@ +========== +cifs.idmap +========== + +----------------------------------------------------------------------- +Userspace helper for mapping ids for Common Internet File System (CIFS) +----------------------------------------------------------------------- +:Manual section: 8 + +******** +SYNOPSIS +******** + + +cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid} + + +*********** +DESCRIPTION +*********** + + +This tool is part of the cifs-utils suite. + +\ **cifs.idmap**\ is a userspace helper program for the linux CIFS client +filesystem. There are a number of activities that the kernel cannot +easily do itself. This program is a callout program that does these +things for the kernel and then returns the result. + +\ **cifs.idmap**\ is generally intended to be run when the kernel calls +request-key(8) for a particular key type. While it can be run +directly from the command-line, it is not generally intended to be run +that way. + +This program is only called if a share is mounted with the \ **cifsacl**\ +mount option. The kernel will only upcall to do this conversion if +that mount option is specified. + +\ **cifs.idmap**\ relies on a plugin to handle the ID mapping. If it can't +find the plugin then it will not work properly. The plugin (or a +symlink to it) must be at @pluginpath@. + +In the case where \ **cifs.idmap**\ or the plugin are unavailable, file +objects in a mounted share are assigned uid and gid of the credentials +of the process that mounted the share. It is strongly recomemended to +use mount options of uid and gid to specify a default uid and gid to +map owner SIDs and group SIDs in this situation. + + +******* +OPTIONS +******* + + + +\ **--help|-h**\ + + Print the usage message and exit. + + + +\ **--timeout|-t**\ + + Set the expiration timer, in seconds on the key. The default is 600 + seconds (10 minutes). Setting this to 0 will cause the key to never + expire. + + + +\ **--version|-v**\ + + Print version number and exit. + + + + +************************ +CONFIGURATION FOR KEYCTL +************************ + + +\ **cifs.idmap**\ is designed to be called from the kernel via the +request-key callout program. This requires that request-key be told +where and how to call this program. Currently \ **cifs.idmap**\ handles a +key type of: + + +\ **cifs.idmap**\ + + This keytype is for mapping a SID to either an uid or a gid + + + +To make this program useful for CIFS, you will need to set up entry for it in +request-key.conf(5). Here is an example of an entry for this key type: + + +.. code-block:: perl + + #OPERATION TYPE D C PROGRAM ARG1 ARG2... + #========= ============= = = ================================ + create cifs.idmap * * @sbindir@/cifs.idmap %k + + +See request-key.conf(5) for more info on each field. + + +***** +NOTES +***** + + +Support for upcalls to cifs.idmap was initially introduced in the 3.0 +kernel. + + +******** +SEE ALSO +******** + + +request-key.conf(5), mount.cifs(8) + + +****** +AUTHOR +****** + + +Shirish Pargaonkar wrote the cifs.idmap program. + +The Linux CIFS Mailing list is the preferred place to ask questions +regarding these programs. + diff --git a/cifs.upcall.pod.in b/cifs.upcall.pod.in deleted file mode 100644 index ced3aed..0000000 --- a/cifs.upcall.pod.in +++ /dev/null @@ -1,147 +0,0 @@ -# turn into a manpage with the following command: -# -# pod2man -s 1 -u -c '' -r '' --stderr cifs.upcall.pod cifs.upcall.8 -# - -=head1 NAME - -cifs.upcall - Userspace upcall helper for Common Internet File System (CIFS) - -=head1 SYNOPSIS - - cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] - [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] - [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} - -=head1 DESCRIPTION - -This tool is part of the cifs-utils suite. - -B<cifs.upcall> is a userspace helper program for the linux CIFS client -filesystem. There are a number of activities that the kernel cannot -easily do itself. This program is a callout program that does these -things for the kernel and then returns the result. - -B<cifs.upcall> is generally intended to be run when the kernel calls -L<request-key(8)> for a particular key type. While it can be run -directly from the command-line, it's not generally intended to be run -that way. - -=head1 OPTIONS - -=over - -=item B<-c> - -This option is deprecated and is currently ignored. - -=item B<--no-env-probe|-E> - -Normally, B<cifs.upcall> will probe the environment variable space of -the process that initiated the upcall in order to fetch the value of -C<$KRB5CCNAME>. This can assist the program with finding credential -caches in non-default locations. If this option is set, then the -program won't do this and will rely on finding credcaches in the -default locations specified in F<krb5.conf>. Note that this is never -performed when the uid is 0. The default credcache location is always -used when the uid is 0, regardless of the environment variable setting -in the process. - -=item B<--krb5conf=F</path/to/krb5.conf>|-k F</path/to/krb5.conf>> - -This option allows administrators to set an alternate location for the -F<krb5.conf> file that B<cifs.upcall> will use. - -=item B<--keytab=F</path/to/keytab>|-K F</path/to/keytab>> - -This option allows administrators to specify a keytab file to be -used. When a user has no credential cache already established, -B<cifs.upcall> will attempt to use this keytab to acquire them. The -default is the system-wide keytab F</etc/krb5.keytab>. - -=item B<--trust-dns|-t> - -With krb5 upcalls, the name used as the host portion of the service -principal defaults to the hostname portion of the UNC. This option -allows the upcall program to reverse resolve the network address of -the server in order to get the hostname. - -This is less secure than not trusting DNS. When using this option, -it's possible that an attacker could get control of DNS and trick the -client into mounting a different server altogether. It's preferable to -instead add server principals to the KDC for every possible hostname, -but this option exists for cases where that isn't possible. The -default is to not trust reverse hostname lookups in this fashion. - -=item B<--legacy-uid|-l> - -Traditionally, the kernel has sent only a single uid= parameter to the -upcall for the SPNEGO upcall that's used to determine what user's -credential cache to use. This parameter is affected by the B<uid=> -mount option, which also governs the ownership of files on the mount. - -Newer kernels send a creduid= option as well, which contains what uid -it thinks actually owns the credentials that it's looking for. At -mount time, this is generally set to the real uid of the user doing -the mount. For multisession mounts, it's set to the fsuid of the mount -user. Set this option if you want cifs.upcall to use the older B<uid=> -parameter instead of the creduid= parameter. - -=item B<--version|-v> - -Print version number and exit. - -=back - -=head1 CONFIGURATION FOR KEYCTL - -B<cifs.upcall> is designed to be called from the kernel via the -request-key callout program. This requires that request-key be told -where and how to call this program. The current B<cifs.upcall> -program handles two different key types: - -=over - -=item B<cifs.spnego> - -This keytype is for retrieving kerberos session keys - -=item B<dns_resolver> - -This key type is for resolving hostnames into IP addresses. Support -for this key type may eventually be deprecated (see below). - -To make this program useful for CIFS, you'll need to set up entries -for them in L<request-key.conf(5)>. Here's an example of an entry for -each key type: - - #OPERATION TYPE D C PROGRAM ARG1 ARG2... - #========= ============= = = ================================ - create cifs.spnego * * @sbindir@/cifs.upcall %k - create dns_resolver * * @sbindir@/cifs.upcall %k - -See L<request-key.conf(5)> for more info on each field. - -The keyutils package has also started including a dns_resolver -handling program as well that is preferred over the one in -B<cifs.upcall.> If you are using a keyutils version equal to or -greater than 1.5, you should use C<key.dns_resolver> to handle the -C<dns_resolver> keytype instead of B<cifs.upcall>. See -L<key.dns_resolver(8)> for more info. - -=back - -=head1 SEE ALSO - -L<request-key.conf(5)>, L<mount.cifs(8)>, L<key.dns_resolver(8)> - -=head1 AUTHOR - -Igor Mammedov wrote the cifs.upcall program. - -Jeff Layton authored this manpage. - -The maintainer of the Linux CIFS VFS is Steve French. - -The Linux CIFS Mailing list is the preferred place to ask questions -regarding these programs. diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in new file mode 100644 index 0000000..8f4ee62 --- /dev/null +++ b/cifs.upcall.rst.in @@ -0,0 +1,190 @@ +=========== +cifs.upcall +=========== + +-------------------------------------------------------------- +Userspace upcall helper for Common Internet File System (CIFS) +-------------------------------------------------------------- +:Manual section: 8 + + +******** +SYNOPSIS +******** + +.. code-block:: perl + + cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] + [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] + [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} + + + +*********** +DESCRIPTION +*********** + + +This tool is part of the cifs-utils suite. + +\ **cifs.upcall**\ is a userspace helper program for the linux CIFS client +filesystem. There are a number of activities that the kernel cannot +easily do itself. This program is a callout program that does these +things for the kernel and then returns the result. + +\ **cifs.upcall**\ is generally intended to be run when the kernel calls +request-key(8) for a particular key type. While it can be run +directly from the command-line, it's not generally intended to be run +that way. + + +******* +OPTIONS +******* + + + +\ **-c**\ + + This option is deprecated and is currently ignored. + + + +\ **--no-env-probe|-E**\ + + Normally, \ **cifs.upcall**\ will probe the environment variable space of + the process that initiated the upcall in order to fetch the value of + \ ``$KRB5CCNAME``\ . This can assist the program with finding credential + caches in non-default locations. If this option is set, then the + program won't do this and will rely on finding credcaches in the + default locations specified in \ *krb5.conf*\ . Note that this is never + performed when the uid is 0. The default credcache location is always + used when the uid is 0, regardless of the environment variable setting + in the process. + + + +\ **--krb5conf|-k=/path/to/krb5.conf**\ + + This option allows administrators to set an alternate location for the + \ *krb5.conf*\ file that \ **cifs.upcall**\ will use. + + + +\ **--keytab=|-K=/path/to/keytab**\ + + This option allows administrators to specify a keytab file to be + used. When a user has no credential cache already established, + \ **cifs.upcall**\ will attempt to use this keytab to acquire them. The + default is the system-wide keytab \ */etc/krb5.keytab*\ . + + + +\ **--trust-dns|-t**\ + + With krb5 upcalls, the name used as the host portion of the service + principal defaults to the hostname portion of the UNC. This option + allows the upcall program to reverse resolve the network address of + the server in order to get the hostname. + + This is less secure than not trusting DNS. When using this option, + it's possible that an attacker could get control of DNS and trick the + client into mounting a different server altogether. It's preferable to + instead add server principals to the KDC for every possible hostname, + but this option exists for cases where that isn't possible. The + default is to not trust reverse hostname lookups in this fashion. + + + +\ **--legacy-uid|-l**\ + + Traditionally, the kernel has sent only a single uid= parameter to the + upcall for the SPNEGO upcall that's used to determine what user's + credential cache to use. This parameter is affected by the \ **uid=**\ + mount option, which also governs the ownership of files on the mount. + + Newer kernels send a creduid= option as well, which contains what uid + it thinks actually owns the credentials that it's looking for. At + mount time, this is generally set to the real uid of the user doing + the mount. For multisession mounts, it's set to the fsuid of the mount + user. Set this option if you want cifs.upcall to use the older \ **uid=**\ + parameter instead of the creduid= parameter. + + + +\ **--version|-v**\ + + Print version number and exit. + + + + +************************ +CONFIGURATION FOR KEYCTL +************************ + + +\ **cifs.upcall**\ is designed to be called from the kernel via the +request-key callout program. This requires that request-key be told +where and how to call this program. The current \ **cifs.upcall**\ +program handles two different key types: + + +\ **cifs.spnego**\ + + This keytype is for retrieving kerberos session keys + + + +\ **dns_resolver**\ + + This key type is for resolving hostnames into IP addresses. Support + for this key type may eventually be deprecated (see below). + + To make this program useful for CIFS, you'll need to set up entries + for them in request-key.conf(5). Here's an example of an entry for + each key type: + + + .. code-block:: perl + + #OPERATION TYPE D C PROGRAM ARG1 ARG2... + #========= ============= = = ================================ + create cifs.spnego * * @sbindir@/cifs.upcall %k + create dns_resolver * * @sbindir@/cifs.upcall %k + + + See request-key.conf(5) for more info on each field. + + The keyutils package has also started including a dns_resolver + handling program as well that is preferred over the one in + \ **cifs.upcall.**\ If you are using a keyutils version equal to or + greater than 1.5, you should use \ ``key.dns_resolver``\ to handle the + \ ``dns_resolver``\ keytype instead of \ **cifs.upcall**\ . See + key.dns_resolver(8) for more info. + + + + +******** +SEE ALSO +******** + + +request-key.conf(5), mount.cifs(8), key.dns_resolver(8) + + +****** +AUTHOR +****** + + +Igor Mammedov wrote the cifs.upcall program. + +Jeff Layton authored this manpage. + +The maintainer of the Linux CIFS VFS is Steve French. + +The Linux CIFS Mailing list is the preferred place to ask questions +regarding these programs. + diff --git a/cifscreds.pod b/cifscreds.pod deleted file mode 100644 index c3bafb5..0000000 --- a/cifscreds.pod +++ /dev/null @@ -1,95 +0,0 @@ -# turn into a manpage with the following command: -# -# pod2man -s 1 -c '' -r '' --stderr cifscreds.pod > cifscreds.1 -# - -=head1 NAME - -cifscreds - manage NTLM credentials in kernel keyring - -=head1 SYNOPSIS - -cifscreds add|clear|clearall|update [-u username] [-d] host|domain - -=head1 DESCRIPTION - -The B<cifscreds> program is a tool for managing credentials (username -and password) for the purpose of establishing sessions in multiuser -mounts. - -When a cifs filesystem is mounted with the "multiuser" option, and does -not use krb5 authentication, it needs to be able to get the credentials -for each user from somewhere. The B<cifscreds> program is the tool used -to provide these credentials to the kernel. - -The first non-option argument to cifscreds is a command (see the -B<COMMANDS> section below). The second non-option argument is a hostname -or address, or an NT domain name. - -=head1 COMMANDS - -=over - -=item B<add> - -Add credentials to the kernel to be used for connecting to the given server, or servers in the given domain. - -=item B<clear> - -Clear credentials for a particular host or domain from the kernel. - -=item B<clearall> - -Clear all cifs credentials from the kernel. - -=item B<update> - -Update stored credentials in the kernel with a new username and -password. - -=back - -=head1 OPTIONS - -=over - -=item B<-d>, B<--domain> - -The provided host/domain argument is a NT domainname. - -Ordinarily the second argument provided to cifscreds is treated as a -hostname or IP address. This option causes the cifscreds program to -treat that argument as an NT domainname instead. - -If there are not host specific credentials for the mounted server, then -the kernel will next look for a set of domain credentials equivalent to -the domain= option provided at mount time. - -=item B<-u>, B<--username> - -Ordinarily, the username is derived from the unix username of the user -adding the credentials. This option allows the user to substitute a -different username. - -=back - -=head1 NOTES - -The cifscreds utility requires a kernel built with support for the -B<login> key type. That key type was added in v3.3 in mainline Linux -kernels. - -Since B<cifscreds> adds keys to the session keyring, it is highly -recommended that one use B<pam_keyinit> to ensure that a session keyring -is established at login time. - -=head1 SEE ALSO - -pam_keyinit(8) - -=head1 AUTHORS - -The cifscreds program was originally developed by Igor Druzhinin -<jaxbrigs@gmail.com>. This manpage and a redesign of the code was done -by Jeff Layton <jlayton@samba.org>. - diff --git a/cifscreds.rst b/cifscreds.rst new file mode 100644 index 0000000..5c2a195 --- /dev/null +++ b/cifscreds.rst @@ -0,0 +1,129 @@ +========= +cifscreds +========= + +----------------------------------------- +manage NTLM credentials in kernel keyring +----------------------------------------- + +:Manual section: 1 + +******** +SYNOPSIS +******** + + +cifscreds add|clear|clearall|update [-u username] [-d] host|domain + + +*********** +DESCRIPTION +*********** + + +The \ **cifscreds**\ program is a tool for managing credentials (username +and password) for the purpose of establishing sessions in multiuser +mounts. + +When a cifs filesystem is mounted with the "multiuser" option, and does +not use krb5 authentication, it needs to be able to get the credentials +for each user from somewhere. The \ **cifscreds**\ program is the tool used +to provide these credentials to the kernel. + +The first non-option argument to cifscreds is a command (see the +\ **COMMANDS**\ section below). The second non-option argument is a hostname +or address, or an NT domain name. + + +******** +COMMANDS +******** + + + +\ **add**\ + + Add credentials to the kernel to be used for connecting to the given server, or servers in the given domain. + + + +\ **clear**\ + + Clear credentials for a particular host or domain from the kernel. + + + +\ **clearall**\ + + Clear all cifs credentials from the kernel. + + + +\ **update**\ + + Update stored credentials in the kernel with a new username and + password. + + + + +******* +OPTIONS +******* + + + +\ **-d**\ , \ **--domain**\ + + The provided host/domain argument is a NT domainname. + + Ordinarily the second argument provided to cifscreds is treated as a + hostname or IP address. This option causes the cifscreds program to + treat that argument as an NT domainname instead. + + If there are not host specific credentials for the mounted server, then + the kernel will next look for a set of domain credentials equivalent to + the domain= option provided at mount time. + + + +\ **-u**\ , \ **--username**\ + + Ordinarily, the username is derived from the unix username of the user + adding the credentials. This option allows the user to substitute a + different username. + + + + +***** +NOTES +***** + + +The cifscreds utility requires a kernel built with support for the +\ **login**\ key type. That key type was added in v3.3 in mainline Linux +kernels. + +Since \ **cifscreds**\ adds keys to the session keyring, it is highly +recommended that one use \ **pam_keyinit**\ to ensure that a session keyring +is established at login time. + + +******** +SEE ALSO +******** + + +pam_keyinit(8) + + +******* +AUTHORS +******* + + +The cifscreds program was originally developed by Igor Druzhinin +<jaxbrigs@gmail.com>. This manpage and a redesign of the code was done +by Jeff Layton <jlayton@samba.org>. + diff --git a/configure.ac b/configure.ac index 0e118a9..52b49a7 100644 --- a/configure.ac +++ b/configure.ac @@ -250,14 +250,14 @@ if test $enable_systemd != "no"; then AC_DEFINE(ENABLE_SYSTEMD, 1, [Enable systemd specific behavior for mount.cifs]) fi -# if docs are not disabled, check if pod2man is available +# if docs are not disabled, check if rst2man is available if test $enable_man != "no"; then - AC_CHECK_PROG(have_pod2man, pod2man, yes, no) - if test $have_pod2man = "no"; then + AC_CHECK_PROG(have_rst2man, rst2man, yes, no) + if test $have_rst2man = "no"; then if test $enable_man = "yes"; then - AC_MSG_ERROR([pod2man not found: cannot generate man pages, consider installing perl.]) + AC_MSG_ERROR([rst2man not found: cannot generate man pages, consider installing perl.]) else - AC_MSG_WARN([pod2man not found: cannot generate man pages, consider installing perl. Disabling man page generation.]) + AC_MSG_WARN([rst2man not found: cannot generate man pages, consider installing perl. Disabling man page generation.]) enable_man="no" fi else diff --git a/getcifsacl.pod.in b/getcifsacl.pod.in deleted file mode 100644 index 3099b6c..0000000 --- a/getcifsacl.pod.in +++ /dev/null @@ -1,60 +0,0 @@ -# turn into a manpage with the following command: -# -# pod2man -s 1 -u -c '' -r '' --stderr getcifsacl.pod getcifsacl.1 -# - -=head1 NAME - -getcifsacl - Userspace helper to display an ACL in a security descriptor for Common Internet File System (CIFS) - -=head1 SYNOPSIS - -getcifsacl [-v|-r] {file system object} - -=head1 DESCRIPTION - -This tool is part of the cifs-utils suite. - -getcifsacl is a userspace helper program for the Linux CIFS client -file system. It is intended to display a security descriptor including -ACL for a file system object. - -This program uses a plugin to handle the mapping of SIDs to user and -group names. F<@pluginpath@> should be a symlink that points to the -correct plugin to use. - -Fields of an ACE such |