1config CIFS
2	tristate "SMB3 and CIFS support (advanced network filesystem)"
3	depends on INET
4	select NLS
5	select CRYPTO
6	select CRYPTO_MD4
7	select CRYPTO_MD5
8	select CRYPTO_SHA256
9	select CRYPTO_SHA512
10	select CRYPTO_CMAC
11	select CRYPTO_HMAC
12	select CRYPTO_ARC4
13	select CRYPTO_AEAD2
14	select CRYPTO_CCM
15	select CRYPTO_ECB
16	select CRYPTO_AES
17	select CRYPTO_DES
18	help
19	  This is the client VFS module for the SMB3 family of NAS protocols,
20	  (including support for the most recent, most secure dialect SMB3.1.1)
21	  as well as for earlier dialects such as SMB2.1, SMB2 and the older
22	  Common Internet File System (CIFS) protocol.  CIFS was the successor
23	  to the original dialect, the Server Message Block (SMB) protocol, the
24	  native file sharing mechanism for most early PC operating systems.
25
26	  The SMB3 protocol is supported by most modern operating systems
27	  and NAS appliances (e.g. Samba, Windows 10, Windows Server 2016,
28	  MacOS) and even in the cloud (e.g. Microsoft Azure).
29	  The older CIFS protocol was included in Windows NT4, 2000 and XP (and
30	  later) as well by Samba (which provides excellent CIFS and SMB3
31	  server support for Linux and many other operating systems). Use of
32	  dialects older than SMB2.1 is often discouraged on public networks.
33	  This module also provides limited support for OS/2 and Windows ME
34	  and similar very old servers.
35
36	  This module provides an advanced network file system client
37	  for mounting to SMB3 (and CIFS) compliant servers.  It includes
38	  support for DFS (hierarchical name space), secure per-user
39	  session establishment via Kerberos or NTLM or NTLMv2, RDMA
40	  (smbdirect), advanced security features, per-share encryption,
41	  directory leases, safe distributed caching (oplock), optional packet
42	  signing, Unicode and other internationalization improvements.
43
44	  In general, the default dialects, SMB3 and later, enable better
45	  performance, security and features, than would be possible with CIFS.
46	  Note that when mounting to Samba, due to the CIFS POSIX extensions,
47	  CIFS mounts can provide slightly better POSIX compatibility
48	  than SMB3 mounts. SMB2/SMB3 mount options are also
49	  slightly simpler (compared to CIFS) due to protocol improvements.
50
51	  If you need to mount to Samba, Azure, Macs or Windows from this machine, say Y.
52
53config CIFS_STATS2
54	bool "Extended statistics"
55	depends on CIFS
56	help
57	  Enabling this option will allow more detailed statistics on SMB
58	  request timing to be displayed in /proc/fs/cifs/DebugData and also
59	  allow optional logging of slow responses to dmesg (depending on the
60	  value of /proc/fs/cifs/cifsFYI, see fs/cifs/README for more details).
61	  These additional statistics may have a minor effect on performance
62	  and memory utilization.
63
64	  Unless you are a developer or are doing network performance analysis
65	  or tuning, say N.
66
67config CIFS_ALLOW_INSECURE_LEGACY
68	bool "Support legacy servers which use less secure dialects"
69	depends on CIFS
70	default y
71	help
72	  Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
73	  additional security features, including protection against
74	  man-in-the-middle attacks and stronger crypto hashes, so the use
75	  of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.
76
77	  Disabling this option prevents users from using vers=1.0 or vers=2.0
78	  on mounts with cifs.ko
79
80	  If unsure, say Y.
81
82config CIFS_WEAK_PW_HASH
83	bool "Support legacy servers which use weaker LANMAN security"
84	depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY
85	help
86	  Modern CIFS servers including Samba and most Windows versions
87	  (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
88	  security mechanisms. These hash the password more securely
89	  than the mechanisms used in the older LANMAN version of the
90	  SMB protocol but LANMAN based authentication is needed to
91	  establish sessions with some old SMB servers.
92
93	  Enabling this option allows the cifs module to mount to older
94	  LANMAN based servers such as OS/2 and Windows 95, but such
95	  mounts may be less secure than mounts using NTLM or more recent
96	  security mechanisms if you are on a public network.  Unless you
97	  have a need to access old SMB servers (and are on a private
98	  network) you probably want to say N.  Even if this support
99	  is enabled in the kernel build, LANMAN authentication will not be
100	  used automatically. At runtime LANMAN mounts are disabled but
101	  can be set to required (or optional) either in
102	  /proc/fs/cifs (see fs/cifs/README for more detail) or via an
103	  option on the mount command. This support is disabled by
104	  default in order to reduce the possibility of a downgrade
105	  attack.
106
107	  If unsure, say N.
108
109config CIFS_UPCALL
110	bool "Kerberos/SPNEGO advanced session setup"
111	depends on CIFS && KEYS
112	select DNS_RESOLVER
113	help
114	  Enables an upcall mechanism for CIFS which accesses userspace helper
115	  utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets
116	  which are needed to mount to certain secure servers (for which more
117	  secure Kerberos authentication is required). If unsure, say Y.
118
119config CIFS_XATTR
120        bool "CIFS extended attributes"
121        depends on CIFS
122        help
123          Extended attributes are name:value pairs associated with inodes by
124          the kernel or by users (see the attr(5) manual page for details).
125          CIFS maps the name of extended attributes beginning with the user
126          namespace prefix to SMB/CIFS EAs.  EAs are stored on Windows
127          servers without the user namespace prefix, but their names are
128          seen by Linux cifs clients prefaced by the user namespace prefix.
129          The system namespace (used by some filesystems to store ACLs) is
130          not supported at this time.
131
132          If unsure, say Y.
133
134config CIFS_POSIX
135        bool "CIFS POSIX Extensions"
136        depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR
137        help
138          Enabling this option will cause the cifs client to attempt to
139	  negotiate a newer dialect with servers, such as Samba 3.0.5
140	  or later, that optionally can handle more POSIX like (rather
141	  than Windows like) file behavior.  It also enables
142	  support for POSIX ACLs (getfacl and setfacl) to servers
143	  (such as Samba 3.10 and later) which can negotiate
144	  CIFS POSIX ACL support.  If unsure, say N.
145
146config CIFS_ACL
147	  bool "Provide CIFS ACL support"
148	  depends on CIFS_XATTR && KEYS
149	  help
150	    Allows fetching CIFS/NTFS ACL from the server.  The DACL blob
151	    is handed over to the application/caller.  See the man
152	    page for getcifsacl for more information.  If unsure, say Y.
153
154config CIFS_DEBUG
155	bool "Enable CIFS debugging routines"
156	default y
157	depends on CIFS
158	help
159	   Enabling this option adds helpful debugging messages to
160	   the cifs code which increases the size of the cifs module.
161	   If unsure, say Y.
162config CIFS_DEBUG2
163	bool "Enable additional CIFS debugging routines"
164	depends on CIFS_DEBUG
165	help
166	   Enabling this option adds a few more debugging routines
167	   to the cifs code which slightly increases the size of
168	   the cifs module and can cause additional logging of debug
169	   messages in some error paths, slowing performance. This
170	   option can be turned off unless you are debugging
171	   cifs problems.  If unsure, say N.
172
173config CIFS_DEBUG_DUMP_KEYS
174	bool "Dump encryption keys for offline decryption (Unsafe)"
175	depends on CIFS_DEBUG
176	help
177	   Enabling this will dump the encryption and decryption keys
178	   used to communicate on an encrypted share connection on the
179	   console. This allows Wireshark to decrypt and dissect
180	   encrypted network captures. Enable this carefully.
181	   If unsure, say N.
182
183config CIFS_DFS_UPCALL
184	  bool "DFS feature support"
185	  depends on CIFS && KEYS
186	  select DNS_RESOLVER
187	  help
188	    Distributed File System (DFS) support is used to access shares
189	    transparently in an enterprise name space, even if the share
190	    moves to a different server.  This feature also enables
191	    an upcall mechanism for CIFS which contacts userspace helper
192	    utilities to provide server name resolution (host names to
193	    IP addresses) which is needed for implicit mounts of DFS junction
194	    points. If unsure, say Y.
195
196config CIFS_NFSD_EXPORT
197	  bool "Allow nfsd to export CIFS file system"
198	  depends on CIFS && BROKEN
199	  help
200	   Allows NFS server to export a CIFS mounted share (nfsd over cifs)
201
202config CIFS_SMB_DIRECT
203	bool "SMB Direct support (Experimental)"
204	depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y
205	help
206	  Enables SMB Direct experimental support for SMB 3.0, 3.02 and 3.1.1.
207	  SMB Direct allows transferring SMB packets over RDMA. If unsure,
208	  say N.
209
210config CIFS_FSCACHE
211	  bool "Provide CIFS client caching support"
212	  depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y
213	  help
214	    Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data
215	    to be cached locally on disk through the general filesystem cache
216	    manager. If unsure, say N.
217
218