[sfrench/cifs-2.6.git] / fs / cifs / Kconfig

# SPDX-License-Identifier: GPL-2.0-only
config CIFS
        tristate "SMB3 and CIFS support (advanced network filesystem)"
        depends on INET
        select NLS
        select CRYPTO
        select CRYPTO_MD4
        select CRYPTO_MD5
        select CRYPTO_SHA256
        select CRYPTO_SHA512
        select CRYPTO_CMAC
        select CRYPTO_HMAC
        select CRYPTO_ARC4
        select CRYPTO_AEAD2
        select CRYPTO_CCM
        select CRYPTO_GCM
        select CRYPTO_ECB
        select CRYPTO_AES
        select CRYPTO_DES
        help
          This is the client VFS module for the SMB3 family of NAS protocols,
          (including support for the most recent, most secure dialect SMB3.1.1)
          as well as for earlier dialects such as SMB2.1, SMB2 and the older
          Common Internet File System (CIFS) protocol.  CIFS was the successor
          to the original dialect, the Server Message Block (SMB) protocol, the
          native file sharing mechanism for most early PC operating systems.

          The SMB3 protocol is supported by most modern operating systems
          and NAS appliances (e.g. Samba, Windows 10, Windows Server 2016,
          MacOS) and even in the cloud (e.g. Microsoft Azure).
          The older CIFS protocol was included in Windows NT4, 2000 and XP (and
          later) as well by Samba (which provides excellent CIFS and SMB3
          server support for Linux and many other operating systems). Use of
          dialects older than SMB2.1 is often discouraged on public networks.
          This module also provides limited support for OS/2 and Windows ME
          and similar very old servers.

          This module provides an advanced network file system client
          for mounting to SMB3 (and CIFS) compliant servers.  It includes
          support for DFS (hierarchical name space), secure per-user
          session establishment via Kerberos or NTLM or NTLMv2, RDMA
          (smbdirect), advanced security features, per-share encryption,
          directory leases, safe distributed caching (oplock), optional packet
          signing, Unicode and other internationalization improvements.

          In general, the default dialects, SMB3 and later, enable better
          performance, security and features, than would be possible with CIFS.
          Note that when mounting to Samba, due to the CIFS POSIX extensions,
          CIFS mounts can provide slightly better POSIX compatibility
          than SMB3 mounts. SMB2/SMB3 mount options are also
          slightly simpler (compared to CIFS) due to protocol improvements.

          If you need to mount to Samba, Azure, Macs or Windows from this machine, say Y.

config CIFS_STATS2
        bool "Extended statistics"
        depends on CIFS
        help
          Enabling this option will allow more detailed statistics on SMB
          request timing to be displayed in /proc/fs/cifs/DebugData and also
          allow optional logging of slow responses to dmesg (depending on the
          value of /proc/fs/cifs/cifsFYI, see fs/cifs/README for more details).
          These additional statistics may have a minor effect on performance
          and memory utilization.

          Unless you are a developer or are doing network performance analysis
          or tuning, say N.

config CIFS_ALLOW_INSECURE_LEGACY
        bool "Support legacy servers which use less secure dialects"
        depends on CIFS
        default y
        help
          Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
          additional security features, including protection against
          man-in-the-middle attacks and stronger crypto hashes, so the use
          of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.

          Disabling this option prevents users from using vers=1.0 or vers=2.0
          on mounts with cifs.ko

          If unsure, say Y.

config CIFS_WEAK_PW_HASH
        bool "Support legacy servers which use weaker LANMAN security"
        depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY
        help
          Modern CIFS servers including Samba and most Windows versions
          (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
          security mechanisms. These hash the password more securely
          than the mechanisms used in the older LANMAN version of the
          SMB protocol but LANMAN based authentication is needed to
          establish sessions with some old SMB servers.

          Enabling this option allows the cifs module to mount to older
          LANMAN based servers such as OS/2 and Windows 95, but such
          mounts may be less secure than mounts using NTLM or more recent
          security mechanisms if you are on a public network.  Unless you
          have a need to access old SMB servers (and are on a private
          network) you probably want to say N.  Even if this support
          is enabled in the kernel build, LANMAN authentication will not be
          used automatically. At runtime LANMAN mounts are disabled but
          can be set to required (or optional) either in
          /proc/fs/cifs (see fs/cifs/README for more detail) or via an
          option on the mount command. This support is disabled by
          default in order to reduce the possibility of a downgrade
          attack.

          If unsure, say N.

config CIFS_UPCALL
        bool "Kerberos/SPNEGO advanced session setup"
        depends on CIFS && KEYS
        select DNS_RESOLVER
        help
          Enables an upcall mechanism for CIFS which accesses userspace helper
          utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets
          which are needed to mount to certain secure servers (for which more
          secure Kerberos authentication is required). If unsure, say Y.

config CIFS_XATTR
        bool "CIFS extended attributes"
        depends on CIFS
        help
          Extended attributes are name:value pairs associated with inodes by
          the kernel or by users (see the attr(5) manual page for details).
          CIFS maps the name of extended attributes beginning with the user
          namespace prefix to SMB/CIFS EAs.  EAs are stored on Windows
          servers without the user namespace prefix, but their names are
          seen by Linux cifs clients prefaced by the user namespace prefix.
          The system namespace (used by some filesystems to store ACLs) is
          not supported at this time.

          If unsure, say Y.

config CIFS_POSIX
        bool "CIFS POSIX Extensions"
        depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR
        help
          Enabling this option will cause the cifs client to attempt to
          negotiate a newer dialect with servers, such as Samba 3.0.5
          or later, that optionally can handle more POSIX like (rather
          than Windows like) file behavior.  It also enables
          support for POSIX ACLs (getfacl and setfacl) to servers
          (such as Samba 3.10 and later) which can negotiate
          CIFS POSIX ACL support.  If unsure, say N.

config CIFS_ACL
        bool "Provide CIFS ACL support"
        depends on CIFS_XATTR && KEYS
        help
          Allows fetching CIFS/NTFS ACL from the server.  The DACL blob
          is handed over to the application/caller.  See the man
          page for getcifsacl for more information.  If unsure, say Y.

config CIFS_DEBUG
        bool "Enable CIFS debugging routines"
        default y
        depends on CIFS
        help
          Enabling this option adds helpful debugging messages to
          the cifs code which increases the size of the cifs module.
          If unsure, say Y.

config CIFS_DEBUG2
        bool "Enable additional CIFS debugging routines"
        depends on CIFS_DEBUG
        help
          Enabling this option adds a few more debugging routines
          to the cifs code which slightly increases the size of
          the cifs module and can cause additional logging of debug
          messages in some error paths, slowing performance. This
          option can be turned off unless you are debugging
          cifs problems.  If unsure, say N.

config CIFS_DEBUG_DUMP_KEYS
        bool "Dump encryption keys for offline decryption (Unsafe)"
        depends on CIFS_DEBUG
        help
          Enabling this will dump the encryption and decryption keys
          used to communicate on an encrypted share connection on the
          console. This allows Wireshark to decrypt and dissect
          encrypted network captures. Enable this carefully.
          If unsure, say N.

config CIFS_DFS_UPCALL
        bool "DFS feature support"
        depends on CIFS && KEYS
        select DNS_RESOLVER
        help
          Distributed File System (DFS) support is used to access shares
          transparently in an enterprise name space, even if the share
          moves to a different server.  This feature also enables
          an upcall mechanism for CIFS which contacts userspace helper
          utilities to provide server name resolution (host names to
          IP addresses) which is needed in order to reconnect to
          servers if their addresses change or for implicit mounts of
          DFS junction points. If unsure, say Y.

config CIFS_NFSD_EXPORT
        bool "Allow nfsd to export CIFS file system"
        depends on CIFS && BROKEN
        help
          Allows NFS server to export a CIFS mounted share (nfsd over cifs)

config CIFS_SMB_DIRECT
        bool "SMB Direct support (Experimental)"
        depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y
        help
          Enables SMB Direct experimental support for SMB 3.0, 3.02 and 3.1.1.
          SMB Direct allows transferring SMB packets over RDMA. If unsure,
          say N.

config CIFS_FSCACHE
        bool "Provide CIFS client caching support"
        depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y
        help
          Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data
          to be cached locally on disk through the general filesystem cache
          manager. If unsure, say N.