Packages and Binaries:
cifs-utils
The SMB/CIFS protocol provides support for cross-platform file sharing with Microsoft Windows, OS X, and other Unix systems.
This package provides utilities for managing mounts of CIFS network file systems.
Installed size: 316 KB
How to install: sudo apt install cifs-utils
Dependencies:
- libc6
- libcap-ng0
- libgssapi-krb5-2
- libkeyutils1
- libkrb5-3
- libpam0g
- libtalloc2
- libwbclient0
- python3
cifs.idmap
Userspace helper for mapping ids for Common Internet File System (CIFS)
root@kali:~# cifs.idmap -h
Usage: cifs.idmap [-h] [-v] [-t timeout] key_serial
cifs.upcall
Userspace upcall helper for Common Internet File System (CIFS)
root@kali:~# man cifs.upcall
CIFS.UPCALL(8) System Manager's Manual CIFS.UPCALL(8)
NAME
cifs.upcall - Userspace upcall helper for Common Internet File System
(CIFS)
SYNOPSIS
cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
[--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
[--keytab=/path/to/keytab|-K /path/to/keytab] [--expire|-e
nsecs] {keyid}
DESCRIPTION
This tool is part of the cifs-utils suite.
cifs.upcall is a userspace helper program for the linux CIFS client
filesystem. There are a number of activities that the kernel cannot eas-
ily do itself. This program is a callout program that does these things
for the kernel and then returns the result.
cifs.upcall is generally intended to be run when the kernel calls re-
quest-key(8) for a particular key type. While it can be run directly
from the command-line, it's not generally intended to be run that way.
OPTIONS
-c This option is deprecated and is currently ignored.
--no-env-probe|-E
Normally, cifs.upcall will probe the environment variable space
of the process that initiated the upcall in order to fetch the
value of $KRB5CCNAME. This can assist the program with finding
credential caches in non-default locations. If this option is
set, then the program won't do this and will rely on finding
credcaches in the default locations specified in krb5.conf. Note
that this is never performed when the uid is 0. The default cred-
cache location is always used when the uid is 0, regardless of
the environment variable setting in the process.
--krb5conf|-k=/path/to/krb5.conf
This option allows administrators to set an alternate location
for the krb5.conf file that cifs.upcall will use.
--keytab=|-K=/path/to/keytab
This option allows administrators to specify a keytab file to be
used. When a user has no credential cache already established,
cifs.upcall will attempt to use this keytab to acquire them. The
default is the system-wide keytab /etc/krb5.keytab.
--trust-dns|-t
With krb5 upcalls, the name used as the host portion of the ser-
vice principal defaults to the hostname portion of the UNC. This
option allows the upcall program to reverse resolve the network
address of the server in order to get the hostname.
This is less secure than not trusting DNS. When using this op-
tion, it's possible that an attacker could get control of DNS and
trick the client into mounting a different server altogether.
It's preferable to instead add server principals to the KDC for
every possible hostname, but this option exists for cases where
that isn't possible. The default is to not trust reverse hostname
lookups in this fashion.
--legacy-uid|-l
Traditionally, the kernel has sent only a single uid= parameter
to the upcall for the SPNEGO upcall that's used to determine what
user's credential cache to use. This parameter is affected by
the uid= mount option, which also governs the ownership of files
on the mount.
Newer kernels send a creduid= option as well, which contains what
uid it thinks actually owns the credentials that it's looking
for. At mount time, this is generally set to the real uid of the
user doing the mount. For multisession mounts, it's set to the
fsuid of the mount user. Set this option if you want cifs.upcall
to use the older uid= parameter instead of the creduid= parame-
ter.
--expire|-e
Override default timeout value (600 seconds) for dns_resolver
key.
--version|-v
Print version number and exit.
ENVIRONMENT VARIABLES
GSS_USE_PROXY="yes"
Enable usage of gssproxy for credential retrieval. This includes
keytab based client initiation as well as (Resource Based) Con-
strained Delegation. See gssproxy-mech(8).
CONFIGURATION FOR KEYCTL
cifs.upcall is designed to be called from the kernel via the request-key
callout program. This requires that request-key be told where and how to
call this program. The current cifs.upcall program handles two differ-
ent key types:
cifs.spnego
This keytype is for retrieving kerberos session keys
dns_resolver
This key type is for resolving hostnames into IP addresses. Sup-
port for this key type may eventually be deprecated (see below).
To make this program useful for CIFS, you'll need to set up en-
tries for them in request-key.conf(5). Here's an example of an
entry for each key type:
#OPERATION TYPE D C PROGRAM ARG1 ARG2...
#========= ============= = = ================================
create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
See request-key.conf(5) for more info on each field.
The keyutils package has also started including a dns_resolver
handling program as well that is preferred over the one in
cifs.upcall. If you are using a keyutils version equal to or
greater than 1.5, you should use key.dns_resolver to handle the
dns_resolver keytype instead of cifs.upcall. See key.dns_re-
solver(8) for more info.
SEE ALSO
request-key.conf(5), mount.cifs(8), key.dns_resolver(8)
AUTHOR
Igor Mammedov wrote the cifs.upcall program.
Jeff Layton authored this manpage.
The maintainer of the Linux CIFS VFS is Steve French.
The Linux CIFS Mailing list is the preferred place to ask questions re-
garding these programs.
CIFS.UPCALL(8)
cifscreds
Manage NTLM credentials in kernel keyring
root@kali:~# cifscreds -h
cifscreds: invalid option -- 'h'
Usage:
cifscreds add [-u username] [-d] <host|domain>
cifscreds clear [-u username] [-d] <host|domain>
cifscreds clearall
cifscreds update [-u username] [-d] <host|domain>
getcifsacl
Userspace helper to display an ACL in a security descriptor for Common Internet File System (CIFS)
root@kali:~# getcifsacl --help
getcifsacl: invalid option -- '-'
getcifsacl: Display CIFS/NTFS ACL in a security descriptor of a file object
Usage: getcifsacl [option] <file_name1> [<file_name2>,<file_name3>,...]
Valid options:
-h Display this help text
-v Version of the program
-R recurse into subdirectories
-r Display raw values of the ACE fields
Refer to getcifsacl(1) manpage for details
mount.cifs
Mount using the Common Internet File System (CIFS)
root@kali:~# mount.cifs -h
Usage: mount.cifs <remotetarget> <dir> -o <options>
Mount the remote target, specified as a UNC name, to a local directory.
Options:
user=<arg>
pass=<arg>
dom=<arg>
Less commonly used options:
credentials=<filename>,guest,perm,noperm,setuids,nosetuids,rw,ro,
sep=<char>,iocharset=<codepage>,suid,nosuid,exec,noexec,serverino,
noserverino,mapchars,nomapchars,nolock,servernetbiosname=<SRV_RFC1001NAME>
cache=<strict|none|loose>,nounix,cifsacl,sec=<authentication mechanism>,
sign,seal,fsc,snapshot=<token|time>,nosharesock,persistenthandles,
resilienthandles,rdma,vers=<smb_dialect>,cruid
Options not needed for servers supporting CIFS Unix extensions
(e.g. unneeded for mounts to most Samba versions):
uid=<uid>,gid=<gid>,dir_mode=<mode>,file_mode=<mode>,sfu,
mfsymlinks,idsfromsid
Rarely used options:
port=<tcpport>,rsize=<size>,wsize=<size>,unc=<unc_name>,ip=<ip_address>,
dev,nodev,nouser_xattr,netbiosname=<OUR_RFC1001NAME>,hard,soft,intr,
nointr,ignorecase,noposixpaths,noacl,prefixpath=<path>,nobrl,
echo_interval=<seconds>,actimeo=<seconds>,max_credits=<credits>,
bsize=<size>
Options are described in more detail in the manual page
man 8 mount.cifs
To display the version number of the mount helper:
mount.cifs -V
mount.smb3
Mount using the Common Internet File System (CIFS)
root@kali:~# mount.smb3 -h
Usage: mount.smb3 <remotetarget> <dir> -o <options>
Mount the remote target, specified as a UNC name, to a local directory.
Options:
user=<arg>
pass=<arg>
dom=<arg>
Less commonly used options:
credentials=<filename>,guest,perm,noperm,setuids,nosetuids,rw,ro,
sep=<char>,iocharset=<codepage>,suid,nosuid,exec,noexec,serverino,
noserverino,mapchars,nomapchars,nolock,servernetbiosname=<SRV_RFC1001NAME>
cache=<strict|none|loose>,nounix,cifsacl,sec=<authentication mechanism>,
sign,seal,fsc,snapshot=<token|time>,nosharesock,persistenthandles,
resilienthandles,rdma,vers=<smb_dialect>,cruid
Options not needed for servers supporting CIFS Unix extensions
(e.g. unneeded for mounts to most Samba versions):
uid=<uid>,gid=<gid>,dir_mode=<mode>,file_mode=<mode>,sfu,
mfsymlinks,idsfromsid
Rarely used options:
port=<tcpport>,rsize=<size>,wsize=<size>,unc=<unc_name>,ip=<ip_address>,
dev,nodev,nouser_xattr,netbiosname=<OUR_RFC1001NAME>,hard,soft,intr,
nointr,ignorecase,noposixpaths,noacl,prefixpath=<path>,nobrl,
echo_interval=<seconds>,actimeo=<seconds>,max_credits=<credits>,
bsize=<size>
Options are described in more detail in the manual page
man 8 mount.smb3
To display the version number of the mount helper:
mount.smb3 -V
setcifsacl
Userspace helper to alter components of a security descriptor for Common Internet File System (CIFS)
root@kali:~# setcifsacl -h
setcifsacl: Alter components of CIFS/NTFS security descriptor of a file object
Usage: setcifsacl option [<list_of_ACEs>|<SID>] <file_name>
Valid options:
-v Version of the program
-U Used in combination with -a, -D, -M, -S in order to
apply the actions to SALC (aUdit ACL); if not specified,
the actions apply to DACL
-a Add ACE(s), separated by a comma, to an ACL
setcifsacl -a "ACL:Administrator:ALLOWED/0x0/FULL" <file_name>
-A Add ACE(s) and reorder, separated by a comma, to an ACL
setcifsacl -A "ACL:Administrator:ALLOWED/0x0/FULL" <file_name>
-D Delete ACE(s), separated by a comma, from an ACL
setcifsacl -D "ACL:Administrator:DENIED/0x0/D" <file_name>
-M Modify ACE(s), separated by a comma, in an ACL
setcifsacl -M "ACL:user1:ALLOWED/0x0/0x1e01ff" <file_name>
-S Replace existing ACL with ACE(s), separated by a comma
setcifsacl -S "ACL:Administrator:ALLOWED/0x0/D" <file_name>
-o Set owner using specified SID (name or raw format)
setcifsacl -o "Administrator" <file_name>
-g Set group using specified SID (name or raw format)
setcifsacl -g "Administrators" <file_name>
Refer to setcifsacl(1) manpage for details
smb2-quota
Userspace helper to display quota information for the Linux SMB client file system (CIFS)
root@kali:~# smb2-quota -h
usage: smb2-quota [-h] [-t] [-c] [-l] <filename>
Please specify an action to perform.
positional arguments:
<filename> filename on a share
options:
-h, --help show this help message and exit
-t, --tabular print quota information in tabular format
-c, --csv print quota information in csv format
-l, --list print quota information in list format
smbinfo
Userspace helper to display SMB-specific file information for the Linux SMB client file system (CIFS)
root@kali:~# smbinfo -h
usage: smbinfo [-h] [-V]
{fileaccessinfo,filealigninfo,fileallinfo,filebasicinfo,fileeainfo,filefsfullsizeinfo,fileinternalinfo,filemodeinfo,filepositioninfo,filestandardinfo,filestreaminfo,fsctl-getobjid,getcompression,setcompression,list-snapshots,quota,secdesc,keys}
...
Display SMB-specific file information using cifs IOCTL
positional arguments:
{fileaccessinfo,filealigninfo,fileallinfo,filebasicinfo,fileeainfo,filefsfullsizeinfo,fileinternalinfo,filemodeinfo,filepositioninfo,filestandardinfo,filestreaminfo,fsctl-getobjid,getcompression,setcompression,list-snapshots,quota,secdesc,keys}
sub-commands help
fileaccessinfo Prints FileAccessInfo for a cifs file
filealigninfo Prints FileAlignInfo for a cifs file
fileallinfo Prints FileAllInfo for a cifs file
filebasicinfo Prints FileBasicInfo for a cifs file
fileeainfo Prints FileEAInfo for a cifs file
filefsfullsizeinfo Prints FileFsFullSizeInfo for a cifs file
fileinternalinfo Prints FileInternalInfo for a cifs file
filemodeinfo Prints FileModeInfo for a cifs file
filepositioninfo Prints FilePositionInfo for a cifs file
filestandardinfo Prints FileStandardInfo for a cifs file
filestreaminfo Prints FileStreamInfo for a cifs file
fsctl-getobjid Prints the objectid of the file and GUID of the
underlying volume.
getcompression Prints the compression setting for the file
setcompression Sets the compression level for the file
list-snapshots List the previous versions of the volume that backs
this file
quota Prints the quota for a cifs file
secdesc Prints the security descriptor for a cifs file
keys Prints the decryption information needed to view
encrypted network traces
options:
-h, --help show this help message and exit
-V, --verbose verbose output
Updated on: 2024-Aug-06