Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

cifs.upcall(8) [suse man page]

CIFS.UPCALL(8)						    System Administration tools 					    CIFS.UPCALL(8)

NAME

       cifs.upcall - Userspace upcall helper for Common Internet File System (CIFS)

SYNOPSIS

       cifs.upcall [--trust-dns|-t] [--version|-v] {keyid}

DESCRIPTION

       This tool is part of the cifs-utils suite.

       cifs.upcall is a userspace helper program for the linux CIFS client filesystem. There are a number of activities that the kernel cannot
       easily do itself. This program is a callout program that does these things for the kernel and then returns the result.

       cifs.upcall is generally intended to be run when the kernel calls request-key(8) for a particular key type. While it can be run directly
       from the command-line, it's not generally intended to be run that way.

OPTIONS

       -c
	   This option is deprecated and is currently ignored.

       --trust-dns|-t
	   With krb5 upcalls, the name used as the host portion of the service principal defaults to the hostname portion of the UNC. This option
	   allows the upcall program to reverse resolve the network address of the server in order to get the hostname.

	   This is less secure than not trusting DNS. When using this option, it's possible that an attacker could get control of DNS and trick
	   the client into mounting a different server altogether. It's preferable to instead add server principals to the KDC for every possible
	   hostname, but this option exists for cases where that isn't possible. The default is to not trust reverse hostname lookups in this
	   fashion.

       --version|-v
	   Print version number and exit.

CONFIGURATION FOR KEYCTL

       cifs.upcall is designed to be called from the kernel via the request-key callout program. This requires that request-key be told where and
       how to call this program. The current cifs.upcall program handles two different key types:

       cifs.spnego
	   This keytype is for retrieving kerberos session keys

       dns_resolver
	   This key type is for resolving hostnames into IP addresses

       To make this program useful for CIFS, you'll need to set up entries for them in request-key.conf(5). Here's an example of an entry for each
       key type:

	   #OPERATION  TYPE	      D C PROGRAM ARG1 ARG2...
	   #=========  =============  = = ================================
	   create      cifs.spnego    * * /usr/local/sbin/cifs.upcall %k
	   create      dns_resolver   * * /usr/local/sbin/cifs.upcall %k

       See request-key.conf5() for more info on each field.

SEE ALSO

       request-key.conf(5), mount.cifs(8)

AUTHOR

       Igor Mammedov wrote the cifs.upcall program.

       Jeff Layton authored this manpage.

       The maintainer of the Linux CIFS VFS is Steve French.

       The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs.

cifs-utils 4.0							    02/07/2010							    CIFS.UPCALL(8)

Check Out this Related Man Page

SETCIFSACL(1)						  CIFS Access Control List Tools					     SETCIFSACL(1)

NAME

       setcifsacl - Userspace helper to alter an ACL in a security descriptor for Common Internet File System (CIFS)

SYNOPSIS

       setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object}

DESCRIPTION

       This tool is part of the cifs-utils suite.

       setcifsacl is a userspace helper program for the Linux CIFS client file system.	It is intended to alter an ACL of a security descriptor
       for a file system object.  It is best utilized when an option of cifsacl is specified when mounting a cifs share in conjunction with
       winbind facility of Samba suite.  Whether a security descriptor to be set is applied or not is determined by the CIFS/SMB server.

OPTIONS

       -v
	   Print version number and exit.
       -a
	   Add one or more ACEs to an ACL of a security descriptor.  An ACE is added even if the same ACE exists in the ACL.
       -D
	   Delete one or more ACEs from an ACL of a security descriptor.  Entire ACE has to match in an existing ACL for the listed ACEs to be
	   deleted.
       -M
	   Modify one or more ACEs from an ACL of a security descriptor.  SID and type are used to match for existing ACEs to be modified with the
	   list of ACEs specified.
       -S
	   Set an ACL of security descriptor with the list of ACEs Existing ACL is replaced entirely with the specified ACEs.

       Every ACE entry starts with "ACL:" One or more ACEs are specified within double quotes.	Multiple ACEs are separated by a comma.

       Following fields of an ACE can be modified with possible values:

       SID: Either a name or a raw SID value.

       type: ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6)

       flags: OBJECT_INHERIT_FLAG (OI or 0x1), CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or 0x4), INHERIT_ONLY_FLAG (IO or
       0x8), INHERITED_ACE_FLAG (IA or 0x10) or a combination/OR of these values.

       mask: Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value

EXAMPLES

       Add an ACE
       setcifsacl -a "ACL:CIFSTESTDOMuser2:DENIED/0x1/D" <file_name> setcifsacl -a "ACL:CIFSTESTDOMuser1:ALLOWED/OI|CI|NI/D" <file_name>

       Delete an ACE
       setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name>

       Modify an ACE
       setcifsacl -M "ACL:CIFSTESTDOMuser1:ALLOWED/0x1f/CHANGE" <file_name>

       Set an ACL
       setcifsacl -S "ACL:CIFSTESTDOMAdministrator:0x0/0x0/FULL,
       ACL:CIFSTESTDOMuser2:0x0/0x0/FULL," <file_name>

NOTES

       Kernel support for getcifsacl/setcifsacl utilities was initially introduced in the 2.6.37 kernel.

SEE ALSO

       mount.cifs(8), winbindd(8), getcifsacl(1)

AUTHOR

       Shirish Pargaonkar wrote the setcifsacl program.

       The Linux CIFS Mailing list is the preferred place to ask questions regarding these programs.

cifs-utils							    08/19/2011							     SETCIFSACL(1)
Man Page