CIFS.IDMAP(8) System Administration tools CIFS.IDMAP(8)NAME
cifs.idmap - Userspace helper for mapping ids for Common Internet File System (CIFS)
SYNOPSIS
cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid}
DESCRIPTION
This tool is part of the cifs-utils suite.
cifs.idmap is a userspace helper program for the linux CIFS client filesystem. There are a number of activities that the kernel cannot
easily do itself. This program is a callout program that does these things for the kernel and then returns the result.
cifs.idmap is generally intended to be run when the kernel calls request-key(8) for a particular key type. While it can be run directly
from the command-line, it is not generally intended to be run that way.
This program is only called if a share is mounted with the cifsacl mount option. The kernel will only upcall to do this conversion if that
mount option is specified.
cifs.idmap relies on a plugin to handle the ID mapping. If it can't find the plugin then it will not work properly. The plugin (or a
symlink to it) must be at /etc/cifs-utils/idmap-plugin.
In the case where cifs.idmap or the plugin are unavailable, file objects in a mounted share are assigned uid and gid of the credentials of
the process that mounted the share. It is strongly recomemended to use mount options of uid and gid to specify a default uid and gid to map
owner SIDs and group SIDs in this situation.
OPTIONS
--help|-h
Print the usage message and exit.
--timeout|-t
Set the expiration timer, in seconds on the key. The default is 600 seconds (10 minutes). Setting this to 0 will cause the key to never
expire.
--version|-v
Print version number and exit.
CONFIGURATION FOR KEYCTL
cifs.idmap is designed to be called from the kernel via the request-key callout program. This requires that request-key be told where and
how to call this program. Currently cifs.idmap handles a key type of:
cifs.idmap
This keytype is for mapping a SID to either an uid or a gid
To make this program useful for CIFS, you will need to set up entry for it in request-key.conf(5). Here is an example of an entry for this
key type:
#OPERATION TYPE D C PROGRAM ARG1 ARG2...
#========= ============= = = ================================
create cifs.idmap * * /usr/sbin/cifs.idmap %k
See request-key.conf(5) for more info on each field.
NOTES
Support for upcalls to cifs.idmap was initially introduced in the 3.0 kernel.
SEE ALSO request-key.conf(5), mount.cifs(8)AUTHOR
Shirish Pargaonkar wrote the cifs.idmap program.
The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs.
cifs-utils 05/26/2011 CIFS.IDMAP(8)
Check Out this Related Man Page
SETCIFSACL(1) CIFS Access Control List Tools SETCIFSACL(1)NAME
setcifsacl - Userspace helper to alter an ACL in a security descriptor for Common Internet File System (CIFS)
SYNOPSIS
setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object}
DESCRIPTION
This tool is part of the cifs-utils suite.
setcifsacl is a userspace helper program for the Linux CIFS client file system. It is intended to alter an ACL of a security descriptor
for a file system object. It is best utilized when an option of cifsacl is specified when mounting a cifs share in conjunction with
winbind facility of Samba suite. Whether a security descriptor to be set is applied or not is determined by the CIFS/SMB server.
OPTIONS -v
Print version number and exit.
-a
Add one or more ACEs to an ACL of a security descriptor. An ACE is added even if the same ACE exists in the ACL.
-D
Delete one or more ACEs from an ACL of a security descriptor. Entire ACE has to match in an existing ACL for the listed ACEs to be
deleted.
-M
Modify one or more ACEs from an ACL of a security descriptor. SID and type are used to match for existing ACEs to be modified with the
list of ACEs specified.
-S
Set an ACL of security descriptor with the list of ACEs Existing ACL is replaced entirely with the specified ACEs.
Every ACE entry starts with "ACL:" One or more ACEs are specified within double quotes. Multiple ACEs are separated by a comma.
Following fields of an ACE can be modified with possible values:
SID: Either a name or a raw SID value.
type: ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6)
flags: OBJECT_INHERIT_FLAG (OI or 0x1), CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or 0x4), INHERIT_ONLY_FLAG (IO or
0x8), INHERITED_ACE_FLAG (IA or 0x10) or a combination/OR of these values.
mask: Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value
EXAMPLES
Add an ACE
setcifsacl -a "ACL:CIFSTESTDOMuser2:DENIED/0x1/D" <file_name> setcifsacl -a "ACL:CIFSTESTDOMuser1:ALLOWED/OI|CI|NI/D" <file_name>
Delete an ACE
setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name>
Modify an ACE
setcifsacl -M "ACL:CIFSTESTDOMuser1:ALLOWED/0x1f/CHANGE" <file_name>
Set an ACL
setcifsacl -S "ACL:CIFSTESTDOMAdministrator:0x0/0x0/FULL,
ACL:CIFSTESTDOMuser2:0x0/0x0/FULL," <file_name>
NOTES
Kernel support for getcifsacl/setcifsacl utilities was initially introduced in the 2.6.37 kernel.
SEE ALSO mount.cifs(8), winbindd(8), getcifsacl(1)AUTHOR
Shirish Pargaonkar wrote the setcifsacl program.
The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs.
cifs-utils 08/19/2011 SETCIFSACL(1)