Both patches look fine - can add my reviewed by if desired
Reviewed-by: Steve French <smfrench@xxxxxxxxx>
On Tue, May 15, 2018 at 4:05 AM, Aurelien Aptel <aaptel@xxxxxxxx> wrote:
> Signed-off-by: Aurelien Aptel <aaptel@xxxxxxxx>
> ---
> cifs.idmap.rst.in | 71 ++++++-------------
> cifs.upcall.rst.in | 200 ++++++++++++++++++++---------------------------------
> cifscreds.rst | 92 ++++++++----------------
> getcifsacl.rst.in | 40 +++--------
> idmapwb.rst.in | 19 +++--
> mount.cifs.rst | 9 ++-
> pam_cifscreds.rst | 61 +++++-----------
> setcifsacl.rst.in | 143 ++++++++++----------------------------
> 8 files changed, 201 insertions(+), 434 deletions(-)
>
> diff --git a/cifs.idmap.rst.in b/cifs.idmap.rst.in
> index 91b585e..60d7f0a 100644
> --- a/cifs.idmap.rst.in
> +++ b/cifs.idmap.rst.in
> @@ -11,124 +11,93 @@ Userspace helper for mapping ids for Common Internet File System (CIFS)
> SYNOPSIS
> ********
>
> -
> -cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid}
> -
> + cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid}
>
> ***********
> DESCRIPTION
> ***********
>
> -
> This tool is part of the cifs-utils suite.
>
> -\ **cifs.idmap**\ is a userspace helper program for the linux CIFS client
> +``cifs.idmap`` is a userspace helper program for the linux CIFS client
> filesystem. There are a number of activities that the kernel cannot
> easily do itself. This program is a callout program that does these
> things for the kernel and then returns the result.
>
> -\ **cifs.idmap**\ is generally intended to be run when the kernel calls
> +``cifs.idmap`` is generally intended to be run when the kernel calls
> request-key(8) for a particular key type. While it can be run
> directly from the command-line, it is not generally intended to be run
> that way.
>
> -This program is only called if a share is mounted with the \ **cifsacl**\
> +This program is only called if a share is mounted with the ``cifsacl``
> mount option. The kernel will only upcall to do this conversion if
> that mount option is specified.
>
> -\ **cifs.idmap**\ relies on a plugin to handle the ID mapping. If it can't
> +``cifs.idmap`` relies on a plugin to handle the ID mapping. If it can't
> find the plugin then it will not work properly. The plugin (or a
> symlink to it) must be at @pluginpath@.
>
> -In the case where \ **cifs.idmap**\ or the plugin are unavailable, file
> +In the case where ``cifs.idmap`` or the plugin are unavailable, file
> objects in a mounted share are assigned uid and gid of the credentials
> of the process that mounted the share. It is strongly recomemended to
> use mount options of uid and gid to specify a default uid and gid to
> map owner SIDs and group SIDs in this situation.
>
> -
> *******
> OPTIONS
> *******
>
> +--help|-h
> + Print the usage message and exit.
>
> +--timeout|-t
> + Set the expiration timer, in seconds on the key. The default is 600
> + seconds (10 minutes). Setting this to 0 will cause the key to never
> + expire.
>
> -\ **--help|-h**\
> -
> - Print the usage message and exit.
> -
> -
> -
> -\ **--timeout|-t**\
> -
> - Set the expiration timer, in seconds on the key. The default is 600
> - seconds (10 minutes). Setting this to 0 will cause the key to never
> - expire.
> -
> -
> -
> -\ **--version|-v**\
> -
> - Print version number and exit.
> -
> -
> -
> +--version|-v
> + Print version number and exit.
>
> ************************
> CONFIGURATION FOR KEYCTL
> ************************
>
> -
> -\ **cifs.idmap**\ is designed to be called from the kernel via the
> +``cifs.idmap`` is designed to be called from the kernel via the
> request-key callout program. This requires that request-key be told
> -where and how to call this program. Currently \ **cifs.idmap**\ handles a
> -key type of:
> +where and how to call this program. Currently ``cifs.idmap`` handles a
> +key type of::
>
> + cifs.idmap
>
> -\ **cifs.idmap**\
> -
> - This keytype is for mapping a SID to either an uid or a gid
> -
> -
> +This keytype is for mapping a SID to either an uid or a gid.
>
> To make this program useful for CIFS, you will need to set up entry for it in
> -request-key.conf(5). Here is an example of an entry for this key type:
> -
> -
> -.. code-block:: perl
> +request-key.conf(5). Here is an example of an entry for this key type::
>
> #OPERATION TYPE D C PROGRAM ARG1 ARG2...
> #========= ============= = = ================================
> create cifs.idmap * * @sbindir@/cifs.idmap %k
>
> -
> See request-key.conf(5) for more info on each field.
>
> -
> *****
> NOTES
> *****
>
> -
> Support for upcalls to cifs.idmap was initially introduced in the 3.0
> kernel.
>
> -
> ********
> SEE ALSO
> ********
>
> -
> request-key.conf(5), mount.cifs(8)
>
> -
> ******
> AUTHOR
> ******
>
> -
> Shirish Pargaonkar wrote the cifs.idmap program.
>
> The Linux CIFS Mailing list is the preferred place to ask questions
> regarding these programs.
> -
> diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in
> index 8f4ee62..1b8df3f 100644
> --- a/cifs.upcall.rst.in
> +++ b/cifs.upcall.rst.in
> @@ -7,178 +7,131 @@ Userspace upcall helper for Common Internet File System (CIFS)
> --------------------------------------------------------------
> :Manual section: 8
>
> -
> ********
> SYNOPSIS
> ********
>
> -.. code-block:: perl
> -
> - cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
> - [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
> - [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid}
> -
> -
> + cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
> + [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
> + [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid}
>
> ***********
> DESCRIPTION
> ***********
>
> -
> This tool is part of the cifs-utils suite.
>
> -\ **cifs.upcall**\ is a userspace helper program for the linux CIFS client
> +``cifs.upcall`` is a userspace helper program for the linux CIFS client
> filesystem. There are a number of activities that the kernel cannot
> easily do itself. This program is a callout program that does these
> things for the kernel and then returns the result.
>
> -\ **cifs.upcall**\ is generally intended to be run when the kernel calls
> +``cifs.upcall`` is generally intended to be run when the kernel calls
> request-key(8) for a particular key type. While it can be run
> directly from the command-line, it's not generally intended to be run
> that way.
>
> -
> *******
> OPTIONS
> *******
>
> -
> -
> -\ **-c**\
> -
> - This option is deprecated and is currently ignored.
> -
> -
> -
> -\ **--no-env-probe|-E**\
> -
> - Normally, \ **cifs.upcall**\ will probe the environment variable space of
> - the process that initiated the upcall in order to fetch the value of
> - \ ``$KRB5CCNAME``\ . This can assist the program with finding credential
> - caches in non-default locations. If this option is set, then the
> - program won't do this and will rely on finding credcaches in the
> - default locations specified in \ *krb5.conf*\ . Note that this is never
> - performed when the uid is 0. The default credcache location is always
> - used when the uid is 0, regardless of the environment variable setting
> - in the process.
> -
> -
> -
> -\ **--krb5conf|-k=/path/to/krb5.conf**\
> -
> - This option allows administrators to set an alternate location for the
> - \ *krb5.conf*\ file that \ **cifs.upcall**\ will use.
> -
> -
> -
> -\ **--keytab=|-K=/path/to/keytab**\
> -
> - This option allows administrators to specify a keytab file to be
> - used. When a user has no credential cache already established,
> - \ **cifs.upcall**\ will attempt to use this keytab to acquire them. The
> - default is the system-wide keytab \ */etc/krb5.keytab*\ .
> -
> -
> -
> -\ **--trust-dns|-t**\
> -
> - With krb5 upcalls, the name used as the host portion of the service
> - principal defaults to the hostname portion of the UNC. This option
> - allows the upcall program to reverse resolve the network address of
> - the server in order to get the hostname.
> -
> - This is less secure than not trusting DNS. When using this option,
> - it's possible that an attacker could get control of DNS and trick the
> - client into mounting a different server altogether. It's preferable to
> - instead add server principals to the KDC for every possible hostname,
> - but this option exists for cases where that isn't possible. The
> - default is to not trust reverse hostname lookups in this fashion.
> -
> -
> -
> -\ **--legacy-uid|-l**\
> -
> - Traditionally, the kernel has sent only a single uid= parameter to the
> - upcall for the SPNEGO upcall that's used to determine what user's
> - credential cache to use. This parameter is affected by the \ **uid=**\
> - mount option, which also governs the ownership of files on the mount.
> -
> - Newer kernels send a creduid= option as well, which contains what uid
> - it thinks actually owns the credentials that it's looking for. At
> - mount time, this is generally set to the real uid of the user doing
> - the mount. For multisession mounts, it's set to the fsuid of the mount
> - user. Set this option if you want cifs.upcall to use the older \ **uid=**\
> - parameter instead of the creduid= parameter.
> -
> -
> -
> -\ **--version|-v**\
> -
> - Print version number and exit.
> -
> -
> -
> +-c
> + This option is deprecated and is currently ignored.
> +
> +--no-env-probe|-E
> + Normally, ``cifs.upcall`` will probe the environment variable space of
> + the process that initiated the upcall in order to fetch the value of
> + ``$KRB5CCNAME``. This can assist the program with finding credential
> + caches in non-default locations. If this option is set, then the
> + program won't do this and will rely on finding credcaches in the
> + default locations specified in *krb5.conf*. Note that this is never
> + performed when the uid is 0. The default credcache location is always
> + used when the uid is 0, regardless of the environment variable setting
> + in the process.
> +
> +--krb5conf|-k=/path/to/krb5.conf
> + This option allows administrators to set an alternate location for the
> + *krb5.conf* file that ``cifs.upcall`` will use.
> +
> +--keytab=|-K=/path/to/keytab
> + This option allows administrators to specify a keytab file to be
> + used. When a user has no credential cache already established,
> + ``cifs.upcall`` will attempt to use this keytab to acquire them. The
> + default is the system-wide keytab */etc/krb5.keytab*.
> +
> +--trust-dns|-t
> + With krb5 upcalls, the name used as the host portion of the service
> + principal defaults to the hostname portion of the UNC. This option
> + allows the upcall program to reverse resolve the network address of
> + the server in order to get the hostname.
> +
> + This is less secure than not trusting DNS. When using this option,
> + it's possible that an attacker could get control of DNS and trick the
> + client into mounting a different server altogether. It's preferable to
> + instead add server principals to the KDC for every possible hostname,
> + but this option exists for cases where that isn't possible. The
> + default is to not trust reverse hostname lookups in this fashion.
> +
> +--legacy-uid|-l
> + Traditionally, the kernel has sent only a single uid= parameter to the
> + upcall for the SPNEGO upcall that's used to determine what user's
> + credential cache to use. This parameter is affected by the uid=
> + mount option, which also governs the ownership of files on the mount.
> +
> + Newer kernels send a creduid= option as well, which contains what uid
> + it thinks actually owns the credentials that it's looking for. At
> + mount time, this is generally set to the real uid of the user doing
> + the mount. For multisession mounts, it's set to the fsuid of the mount
> + user. Set this option if you want cifs.upcall to use the older uid=
> + parameter instead of the creduid= parameter.
> +
> +--version|-v
> + Print version number and exit.
>
> ************************
> CONFIGURATION FOR KEYCTL
> ************************
>
> -
> -\ **cifs.upcall**\ is designed to be called from the kernel via the
> +``cifs.upcall`` is designed to be called from the kernel via the
> request-key callout program. This requires that request-key be told
> -where and how to call this program. The current \ **cifs.upcall**\
> +where and how to call this program. The current ``cifs.upcall``
> program handles two different key types:
>
> +cifs.spnego
> + This keytype is for retrieving kerberos session keys
> +
> +dns_resolver
> + This key type is for resolving hostnames into IP addresses. Support
> + for this key type may eventually be deprecated (see below).
> +
> + To make this program useful for CIFS, you'll need to set up entries
> + for them in request-key.conf(5). Here's an example of an entry for
> + each key type::
>
> -\ **cifs.spnego**\
> -
> - This keytype is for retrieving kerberos session keys
> -
> -
> -
> -\ **dns_resolver**\
> -
> - This key type is for resolving hostnames into IP addresses. Support
> - for this key type may eventually be deprecated (see below).
> -
> - To make this program useful for CIFS, you'll need to set up entries
> - for them in request-key.conf(5). Here's an example of an entry for
> - each key type:
> -
> -
> - .. code-block:: perl
> -
> #OPERATION TYPE D C PROGRAM ARG1 ARG2...
> #========= ============= = = ================================
> create cifs.spnego * * @sbindir@/cifs.upcall %k
> create dns_resolver * * @sbindir@/cifs.upcall %k
> -
> -
> - See request-key.conf(5) for more info on each field.
> -
> - The keyutils package has also started including a dns_resolver
> - handling program as well that is preferred over the one in
> - \ **cifs.upcall.**\ If you are using a keyutils version equal to or
> - greater than 1.5, you should use \ ``key.dns_resolver``\ to handle the
> - \ ``dns_resolver``\ keytype instead of \ **cifs.upcall**\ . See
> - key.dns_resolver(8) for more info.
> -
>
> + See request-key.conf(5) for more info on each field.
>
> + The keyutils package has also started including a dns_resolver
> + handling program as well that is preferred over the one in
> + ``cifs.upcall``. If you are using a keyutils version equal to or
> + greater than 1.5, you should use ``key.dns_resolver`` to handle the
> + ``dns_resolver`` keytype instead of ``cifs.upcall``. See
> + key.dns_resolver(8) for more info.
>
> ********
> SEE ALSO
> ********
>
> -
> request-key.conf(5), mount.cifs(8), key.dns_resolver(8)
>
> -
> ******
> AUTHOR
> ******
>
> -
> Igor Mammedov wrote the cifs.upcall program.
>
> Jeff Layton authored this manpage.
> @@ -187,4 +140,3 @@ The maintainer of the Linux CIFS VFS is Steve French.
>
> The Linux CIFS Mailing list is the preferred place to ask questions
> regarding these programs.
> -
> diff --git a/cifscreds.rst b/cifscreds.rst
> index 5c2a195..a6676cb 100644
> --- a/cifscreds.rst
> +++ b/cifscreds.rst
> @@ -5,125 +5,91 @@ cifscreds
> -----------------------------------------
> manage NTLM credentials in kernel keyring
> -----------------------------------------
> -
> :Manual section: 1
>
> ********
> SYNOPSIS
> ********
>
> -
> -cifscreds add|clear|clearall|update [-u username] [-d] host|domain
> -
> + cifscreds add|clear|clearall|update [-u username] [-d] host|domain
>
> ***********
> DESCRIPTION
> ***********
>
> -
> -The \ **cifscreds**\ program is a tool for managing credentials (username
> +The ``cifscreds`` program is a tool for managing credentials (username
> and password) for the purpose of establishing sessions in multiuser
> mounts.
>
> When a cifs filesystem is mounted with the "multiuser" option, and does
> not use krb5 authentication, it needs to be able to get the credentials
> -for each user from somewhere. The \ **cifscreds**\ program is the tool used
> +for each user from somewhere. The ``cifscreds`` program is the tool used
> to provide these credentials to the kernel.
>
> The first non-option argument to cifscreds is a command (see the
> -\ **COMMANDS**\ section below). The second non-option argument is a hostname
> +`COMMANDS`_ section below). The second non-option argument is a hostname
> or address, or an NT domain name.
>
> -
> ********
> COMMANDS
> ********
>
> +add
> + Add credentials to the kernel to be used for connecting to the given
> + server, or servers in the given domain.
>
> +clear
> + Clear credentials for a particular host or domain from the kernel.
>
> -\ **add**\
> -
> - Add credentials to the kernel to be used for connecting to the given server, or servers in the given domain.
> -
> -
> -
> -\ **clear**\
> -
> - Clear credentials for a particular host or domain from the kernel.
> -
> -
> -
> -\ **clearall**\
> -
> - Clear all cifs credentials from the kernel.
> -
> -
> -
> -\ **update**\
> -
> - Update stored credentials in the kernel with a new username and
> - password.
> -
> -
> +clearall
> + Clear all cifs credentials from the kernel.
>
> +update
> + Update stored credentials in the kernel with a new username and
> + password.
>
> *******
> OPTIONS
> *******
>
> +-d, --domain
> + The provided host/domain argument is a NT domainname.
>
> + Ordinarily the second argument provided to cifscreds is treated as a
> + hostname or IP address. This option causes the cifscreds program to
> + treat that argument as an NT domainname instead.
>
> -\ **-d**\ , \ **--domain**\
> -
> - The provided host/domain argument is a NT domainname.
> -
> - Ordinarily the second argument provided to cifscreds is treated as a
> - hostname or IP address. This option causes the cifscreds program to
> - treat that argument as an NT domainname instead.
> -
> - If there are not host specific credentials for the mounted server, then
> - the kernel will next look for a set of domain credentials equivalent to
> - the domain= option provided at mount time.
> -
> -
> -
> -\ **-u**\ , \ **--username**\
> -
> - Ordinarily, the username is derived from the unix username of the user
> - adding the credentials. This option allows the user to substitute a
> - different username.
> -
> -
> + If there are not host specific credentials for the mounted server, then
> + the kernel will next look for a set of domain credentials equivalent to
> + the domain= option provided at mount time.
>
> +-u, --username
> + Ordinarily, the username is derived from the unix username of the user
> + adding the credentials. This option allows the user to substitute a
> + different username.
>
> *****
> NOTES
> *****
>
> -
> The cifscreds utility requires a kernel built with support for the
> -\ **login**\ key type. That key type was added in v3.3 in mainline Linux
> +``login`` key type. That key type was added in v3.3 in mainline Linux
> kernels.
>
> -Since \ **cifscreds**\ adds keys to the session keyring, it is highly
> -recommended that one use \ **pam_keyinit**\ to ensure that a session keyring
> +Since ``cifscreds`` adds keys to the session keyring, it is highly
> +recommended that one use ``pam_keyinit`` to ensure that a session keyring
> is established at login time.
>
> -
> ********
> SEE ALSO
> ********
>
> -
> pam_keyinit(8)
>
> -
> *******
> AUTHORS
> *******
>
> -
> The cifscreds program was originally developed by Igor Druzhinin
> <jaxbrigs@xxxxxxxxx>. This manpage and a redesign of the code was done
> by Jeff Layton <jlayton@xxxxxxxxx>.
> -
> diff --git a/getcifsacl.rst.in b/getcifsacl.rst.in
> index 42af258..21a10cd 100644
> --- a/getcifsacl.rst.in
> +++ b/getcifsacl.rst.in
> @@ -7,80 +7,60 @@ Userspace helper to display an ACL in a security descriptor for Common Internet
> --------------------------------------------------------------------------------------------------
> :Manual section: 1
>
> -
> ********
> SYNOPSIS
> ********
>
> -
> -getcifsacl [-v|-r] {file system object}
> -
> + getcifsacl [-v|-r] {file system object}
>
> ***********
> DESCRIPTION
> ***********
>
> -
> This tool is part of the cifs-utils suite.
>
> -getcifsacl is a userspace helper program for the Linux CIFS client
> +``getcifsacl`` is a userspace helper program for the Linux CIFS client
> file system. It is intended to display a security descriptor including
> ACL for a file system object.
>
> This program uses a plugin to handle the mapping of SIDs to user and
> -group names. \ *@pluginpath@*\ should be a symlink that points to the
> +group names. *@pluginpath@* should be a symlink that points to the
> correct plugin to use.
>
> Fields of an ACE such as SID, type, flags, and mask are displayed
> -separated by /. Numeric values of type, flags, and mask are displayed
> +separated by /. Numeric values of type, flags, and mask are displayed
> in hexadecimal format.
>
> -
> *******
> OPTIONS
> *******
>
> +-v
> + Print version number and exit.
>
> -
> -\ **-v**\
> -
> - Print version number and exit.
> -
> -
> -
> -\ **-r**\
> -
> - Display a security descriptor in raw mode. Values such as type and
> - flags are displayed in hexadecimal format, a SID is not mapped to a
> - name.
> -
> -
> -
> +-r
> + Display a security descriptor in raw mode. Values such as type and
> + flags are displayed in hexadecimal format, a SID is not mapped to a
> + name.
>
> *****
> NOTES
> *****
>
> -
> Kernel support for getcifsacl/setcifsacl utilities was initially
> introduced in the 2.6.37 kernel.
>
> -
> ********
> SEE ALSO
> ********
>
> -
> mount.cifs(8), setcifsacl(1)
>
> -
> ******
> AUTHOR
> ******
>
> -
> Shirish Pargaonkar wrote the getcifsacl program.
>
> The Linux CIFS Mailing list is the preferred place to ask questions
> regarding these programs.
> -
> diff --git a/idmapwb.rst.in b/idmapwb.rst.in
> index 4d7fd62..c03e4ca 100644
> --- a/idmapwb.rst.in
> +++ b/idmapwb.rst.in
> @@ -7,31 +7,28 @@ winbind ID mapping plugin for cifs-utils
> ----------------------------------------
> :Manual section: 8
>
> -
> ***********
> DESCRIPTION
> ***********
>
> -
> This plugin allows the utilities in cifs-utils to work in conjuction with
> the winbind facility of Samba suite. It handles several functions including
> mapping UID and GID to SIDs and vice versa.
>
> Utilities are usually configured to use the correct plugin by creating a
> -symlink at @pluginpath@ that points to the correct plugin that you wish
> +symlink at *@pluginpath@* that points to the correct plugin that you wish
> to use.
>
> -This plugin requires that \ **winbindd(8)**\ be properly configured and running.
> +This plugin requires that winbindd(8) be properly configured and running.
>
> -
> -*******************************************************************************
> +********
> SEE ALSO
> -*******************************************************************************
> -getcifsacl(1), setcifsacl(1), cifs.idmap(8), samba(7), smb.conf(5), winbindd(8)
> -
> +********
>
> +getcifsacl(1), setcifsacl(1), cifs.idmap(8), samba(7), smb.conf(5), winbindd(8)
>
> -*****************************************************************
> +******
> AUTHOR
> -*****************************************************************
> +******
> +
> idmapwb.so was written by Jeff Layton <jlayton@xxxxxxxxx>
> diff --git a/mount.cifs.rst b/mount.cifs.rst
> index a81c6c4..c0f0bdb 100644
> --- a/mount.cifs.rst
> +++ b/mount.cifs.rst
> @@ -47,7 +47,6 @@ unmounted (usually via the ``umount`` utility).
> OPTIONS
> *******
>
> -
> username=arg|user=arg
> specifies the username to connect as. If this is not
> given, then the environment variable USER is used.
> @@ -84,9 +83,9 @@ credentials=filename|cred=filename
> password=value
> domain=value
>
> - This is preferred over having passwords in plaintext in a shared file,
> - such as ``/etc/fstab`` . Be sure to protect any credentials file
> - properly.
> + This is preferred over having passwords in plaintext in a shared file,
> + such as */etc/fstab* . Be sure to protect any credentials file
> + properly.
>
> uid=arg
> sets the uid that will own all files or directories on the mounted
> @@ -558,7 +557,7 @@ It's generally preferred to use forward slashes (/) as a delimiter in
> service names. They are considered to be the "universal delimiter"
> since they are generally not allowed to be embedded within path
> components on Windows machines and the client can convert them to
> -backslashes (\) unconditionally. Conversely, backslash characters are
> +backslashes (\\) unconditionally. Conversely, backslash characters are
> allowed by POSIX to be part of a path component, and can't be
> automatically converted in the same way.
>
> diff --git a/pam_cifscreds.rst b/pam_cifscreds.rst
> index 8e8308c..4e89bfd 100644
> --- a/pam_cifscreds.rst
> +++ b/pam_cifscreds.rst
> @@ -7,110 +7,83 @@ PAM module to manage NTLM credentials in kernel keyring
> -------------------------------------------------------
> :Manual section: 8
>
> -
> ********
> SYNOPSIS
> ********
>
> -
> Edit the PAM configuration files for the systems that you want to
> -automatically register NTLM credentials for, e.g. /etc/pam.d/login,
> -and modify as follows:
> -
> -
> -.. code-block:: perl
> +automatically register NTLM credentials for, e.g. */etc/pam.d/login*,
> +and modify as follows::
>
> ...
> auth substack system-auth
> +++ auth optional pam_cifscreds.so
> auth include postlogin
> ...
> -
> +
> ...
> session include system-auth
> +++ session optional pam_cifscreds.so domain=DOMAIN
> session include postlogin
> ...
>
> -
> Change DOMAIN to the name of you Windows domain, or use host= as
> described below.
>
> -
> ***********
> DESCRIPTION
> ***********
>
> -
> -The \ **pam_cifscreds**\ PAM module is a tool for automatically adding
> +The ``pam_cifscreds`` PAM module is a tool for automatically adding
> credentials (username and password) for the purpose of establishing
> sessions in multiuser mounts.
>
> When a cifs filesystem is mounted with the "multiuser" option, and does
> not use krb5 authentication, it needs to be able to get the credentials
> -for each user from somewhere. The \ **pam_cifscreds**\ module can be used
> +for each user from somewhere. The ``pam_cifscreds`` module can be used
> to provide these credentials to the kernel automatically at login.
>
> In the session section of the PAM configuration file, the module can
> either an NT domain name or a list of hostname or addresses.
>
> -
> *******
> OPTIONS
> *******
>
> +``pam_cifscreds`` supports a couple options which can be set in the PAM
> +configuration files. You must have one (and only one) of ``domain=`` or
> +``host=``.
>
> -\ **pam_cifscreds**\ supports a couple options which can be set in the PAM
> -configuration files. You must have one (and only one) of domain= or
> -host=.
> -
> -
> -\ **debug**\
> -
> - Turns on some extra debug logging.
> -
> -
> -
> -\ **domain**\ =<NT domain name>
> -
> - Credentials will be added for the specified NT domain name.
> -
> -
> -
> -\ **host**\ =<hostname or IP address>[,...]
> -
> - Credentials will be added for the specified hostnames or IP addresses.
> -
> +debug
> + Turns on some extra debug logging.
>
> +domain=<NT domain name>
> + Credentials will be added for the specified NT domain name.
>
> +host=<hostname or IP address>[,...]
> + Credentials will be added for the specified hostnames or IP addresses.
>
> *****
> NOTES
> *****
>
> -
> The pam_cifscreds PAM module requires a kernel built with support for
> -the \ **login**\ key type. That key type was added in v3.3 in mainline Linux
> +the ``login`` key type. That key type was added in v3.3 in mainline Linux
> kernels.
>
> -Since \ **pam_cifscreds**\ adds keys to the session keyring, it is highly
> -recommended that one use \ **pam_keyinit**\ to ensure that a session keyring
> +Since ``pam_cifscreds`` adds keys to the session keyring, it is highly
> +recommended that one use ``pam_keyinit`` to ensure that a session keyring
> is established at login time.
>
> -
> ********
> SEE ALSO
> ********
>
> -
> cifscreds(1), pam_keyinit(8)
>
> -
> ******
> AUTHOR
> ******
>
> -
> The pam_cifscreds PAM module was developed by Orion Poplawski
> <orion@xxxxxxxx>.
> -
> diff --git a/setcifsacl.rst.in b/setcifsacl.rst.in
> index ea981e2..de9c758 100644
> --- a/setcifsacl.rst.in
> +++ b/setcifsacl.rst.in
> @@ -7,179 +7,110 @@ Userspace helper to alter an ACL in a security descriptor for Common Internet Fi
> ------------------------------------------------------------------------------------------------
> :Manual section: 1
>
> -
> ********
> SYNOPSIS
> ********
>
> -
> -setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object}
> -
> + setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object}
>
> ***********
> DESCRIPTION
> ***********
>
> -
> This tool is part of the cifs-utils suite.
>
> -\ **setcifsacl**\ is a userspace helper program for the Linux CIFS client
> -file system. It is intended to alter an ACL of a security descriptor
> -for a file system object. Whether a security descriptor to be set is
> +``setcifsacl`` is a userspace helper program for the Linux CIFS client
> +file system. It is intended to alter an ACL of a security descriptor
> +for a file system object. Whether a security descriptor to be set is
> applied or not is determined by the CIFS/SMB server.
>
> This program uses a plugin to handle the mapping of user and group
> -names to SIDs. ``@pluginpath@`` should be a symlink that points to the
> +names to SIDs. *@pluginpath@* should be a symlink that points to the
> correct plugin to use.
>
> -
> *******
> OPTIONS
> *******
>
> +-h
> + Print usage message and exit.
>
> +-v
> + Print version number and exit.
>
> -\ **-h**\
> -
> - Print usage message and exit.
> -
> -
> -
> -\ **-v**\
> -
> - Print version number and exit.
> -
> +-a
> + Add one or more ACEs to an ACL of a security descriptor. An ACE is
> + added even if the same ACE exists in the ACL.
>
> +-D
> + Delete one or more ACEs from an ACL of a security descriptor. Entire
> + ACE has to match in an existing ACL for the listed ACEs to be deleted.
>
> -\ **-a**\
> -
> - Add one or more ACEs to an ACL of a security descriptor. An ACE is
> - added even if the same ACE exists in the ACL.
> -
> +-M
> + Modify one or more ACEs from an ACL of a security descriptor. SID and
> + type are used to match for existing ACEs to be modified with the list
> + of ACEs specified.
>
> +-S
> + Set an ACL of security descriptor with the list of ACEs Existing ACL
> + is replaced entirely with the specified ACEs.
>
> -\ **-D**\
> -
> - Delete one or more ACEs from an ACL of a security descriptor. Entire
> - ACE has to match in an existing ACL for the listed ACEs to be deleted.
> -
> -
> -
> -\ **-M**\
> -
> - Modify one or more ACEs from an ACL of a security descriptor. SID and
> - type are used to match for existing ACEs to be modified with the list
> - of ACEs specified.
> -
> -
> -
> -\ **-S**\
> -
> - Set an ACL of security descriptor with the list of ACEs Existing ACL
> - is replaced entirely with the specified ACEs.
> -
> - Every ACE entry starts with "ACL:" One or more ACEs are specified
> - within double quotes. Multiple ACEs are separated by a comma.
> -
> - Following fields of an ACE can be modified with possible values:
> -
> -
> - \ **SID**\ - Either a name or a raw SID value.
> -
> -
> -
> - \ **type**\ - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6)
> -
> -
> -
> - \ **flags**\ - OBJECT_INHERIT_FLAG (OI or 0x1), CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or
> - 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or 0x10)
> - or a combination/OR of these values.
> -
> -
> -
> - \ **mask**\ - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value
> -
> -
> -
> + Every ACE entry starts with "ACL:" One or more ACEs are specified
> + within double quotes. Multiple ACEs are separated by a comma.
>
> + Following fields of an ACE can be modified with possible values:
>
> + - ``SID`` - Either a name or a raw SID value.
> + - ``type`` - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6)
> + - ``flags`` - OBJECT_INHERIT_FLAG (OI or 0x1),
> + CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI
> + or 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or
> + 0x10) or a combination/OR of these values.
> + - ``mask`` - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value.
>
> ********
> EXAMPLES
> ********
>
> -
> Add an ACE
> ==========
>
> -
> -
> -.. code-block:: perl
> -
> - setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" <file_name>
> - setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" <file_name>
> -
> -
> + setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" <file_name>
> + setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" <file_name>
>
> Delete an ACE
> =============
>
> -
> -
> -.. code-block:: perl
> -
> - setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name>
> -
> -
> + setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" <file_name>
>
> Modify an ACE
> =============
>
> -
> -
> -.. code-block:: perl
> -
> - setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" <file_name>
> -
> -
> + setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" <file_name>
>
> Set an ACL
> ==========
>
> -
> -
> -.. code-block:: perl
> -
> - setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" <file_name>
> -
> -
> -
> + setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" <file_name>
>
> *****
> NOTES
> *****
>
> -
> Kernel support for getcifsacl/setcifsacl utilities was initially
> introduced in the 2.6.37 kernel.
>
> -
> ********
> SEE ALSO
> ********
>
> -
> mount.cifs(8), getcifsacl(1)
>
> -
> ******
> AUTHOR
> ******
>
> -
> Shirish Pargaonkar wrote the setcifsacl program.
>
> The Linux CIFS Mailing list is the preferred place to ask questions
> regarding these programs.
> -
> --
> 2.13.6
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Thanks,
Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
