cifs.upcall(8)
NAME
cifs.upcall - Userspace upcall helper for Common Internet File System
(CIFS)
SYNOPSIS
cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
[--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
[--keytab=/path/to/keytab|-K /path/to/keytab] {keyid}
DESCRIPTION
This tool is part of the cifs-utils suite.
cifs.upcall is a userspace helper program for the linux CIFS client
filesystem. There are a number of activities that the kernel cannot
easily do itself. This program is a callout program that does these
things for the kernel and then returns the result.
cifs.upcall is generally intended to be run when the kernel calls
request-key(8) for a particular key type. While it can be run directly
from the command-line, its not generally intended to be run that way.
OPTIONS
-c
This option is deprecated and is currently ignored.
--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf
This option allows administrators to set an alternate location for
the krb5.conf file that cifs.upcall will use.
--keytab=/path/to/keytab|-K /path/to/keytab
This option allows administrators to specify a keytab file to be
used. When a user has no credential cache already established,
cifs.upcall will attempt to use this keytab to acquire them. The
default is the system-wide keytab /etc/krb5.keytab.
--trust-dns|-t
With krb5 upcalls, the name used as the host portion of the service
principal defaults to the hostname portion of the UNC. This option
allows the upcall program to reverse resolve the network address of
the server in order to get the hostname.
This is less secure than not trusting DNS. When using this option,
its possible that an attacker could get control of DNS and trick
the client into mounting a different server altogether. Its
preferable to instead add server principals to the KDC for every
possible hostname, but this option exists for cases where that
isnt possible. The default is to not trust reverse hostname
lookups in this fashion.
--legacy-uid|-l
Traditionally, the kernel has sent only a single uid= parameter to
the upcall for the SPNEGO upcall thats used to determine what
user's credential cache to use. This parameter is affected by the
uid= mount option, which also governs the ownership of files on the
mount.
Newer kernels send a creduid= option as well, which contains what
uid it thinks actually owns the credentials that its looking for.
At mount time, this is generally set to the real uid of the user
doing the mount. For multisession mounts, it's set to the fsuid of
the mount user. Set this option if you want cifs.upcall to use the
older uid= parameter instead of the creduid= parameter.
--version|-v
Print version number and exit.
CONFIGURATION FOR KEYCTL
cifs.upcall is designed to be called from the kernel via the
request-key callout program. This requires that request-key be told
where and how to call this program. The current cifs.upcall program
handles two different key types:
cifs.spnego
This keytype is for retrieving kerberos session keys
dns_resolver
This key type is for resolving hostnames into IP addresses. Support
for this key type may eventually be deprecated (see below).
To make this program useful for CIFS, youll need to set up entries for
them in request-key.conf(5). Heres an example of an entry for each key
type:
#OPERATION TYPE D C PROGRAM ARG1 ARG2...
#========= ============= = = ================================
create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
See request-key.conf(5) for more info on each field.
The keyutils package has also started including a dns_resolver handling
program as well that is preferred over the one in cifs.upcall. If you
are using a keyutils version equal to or greater than 1.5, you should
use key.dns_resolver to handle the dns_resolver keytype instead of
cifs.upcall. See key.dns_resolver(8) for more info.
SEE ALSO
request-key.conf(5), mount.cifs(8), key.dns_resolver(8)
AUTHOR
Igor Mammedov wrote the cifs.upcall program.
Jeff Layton authored this manpage.
The maintainer of the Linux CIFS VFS is Steve French.
The Linux CIFS Mailing list is the preferred place to ask questions
regarding these programs.
Free and Open Source Software