[PATCH 1/2] mount.cifs.rst: add missing reference for sssd

[PATCH 1/2] mount.cifs.rst: add missing reference for sssd

[Paulo Alcantara]

Reference sssd in mount.cifs(8) as it can be used instead of winbind
via cifs.idmap utility.  It's also enabled by default in most systems.

Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
---
 mount.cifs.rst | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/mount.cifs.rst b/mount.cifs.rst
index 9d4446f035b6..f0ddef97a0e8 100644
--- a/mount.cifs.rst
+++ b/mount.cifs.rst
@@ -761,10 +761,10 @@ specified in the following Microsoft TechNet document:
 In order to map SIDs to/from UIDs and GIDs, the following is required:
 
 - a kernel upcall to the ``cifs.idmap`` utility set up via request-key.conf(5)
-- winbind support configured via nsswitch.conf(5) and smb.conf(5)
+- winbind or sssd support configured via nsswitch.conf(5)
 
-Please refer to the respective manpages of cifs.idmap(8) and
-winbindd(8) for more information.
+Please refer to the respective manpages of cifs.idmap(8), winbindd(8)
+and sssd(8) for more information.
 
 Security descriptors for a file object can be retrieved and set
 directly using extended attribute named ``system.cifs_acl``. The
@@ -780,10 +780,10 @@ Some of the things to consider while using this mount option:
 - The mapping between a CIFS/NTFS ACL and POSIX file permission bits
   is imperfect and some ACL information may be lost in the
   translation.
-- If either upcall to cifs.idmap is not setup correctly or winbind is
-  not configured and running, ID mapping will fail. In that case uid
-  and gid will default to either to those values of the share or to
-  the values of uid and/or gid mount options if specified.
+- If either upcall to cifs.idmap is not setup correctly or winbind or
+  sssd is not configured and running, ID mapping will fail. In that
+  case uid and gid will default to either to those values of the share
+  or to the values of uid and/or gid mount options if specified.
 
 **********************************
 ACCESSING FILES WITH BACKUP INTENT
-- 
2.44.0

[PATCH 2/2] mount.cifs.rst: update section about xattr/acl support

[Paulo Alcantara]

Update section about required xattr/acl support for UID/GID mapping.

Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
---
 mount.cifs.rst | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/mount.cifs.rst b/mount.cifs.rst
index f0ddef97a0e8..bd39c165c130 100644
--- a/mount.cifs.rst
+++ b/mount.cifs.rst
@@ -321,11 +321,12 @@ soft
 noacl
   Do not allow POSIX ACL operations even if server would support them.
 
-  The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba
-  servers version 3.0.10 and later. Setting POSIX ACLs requires enabling
-  both ``CIFS_XATTR`` and then ``CIFS_POSIX`` support in the CIFS
-  configuration options when building the cifs module. POSIX ACL support
-  can be disabled on a per mount basis by specifying ``noacl`` on mount.
+  The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to
+  Samba servers version 3.0.10 and later. Setting POSIX ACLs requires
+  enabling both ``CONFIG_CIFS_XATTR`` and then ``CONFIG_CIFS_POSIX``
+  support in the CIFS configuration options when building the cifs
+  module. POSIX ACL support can be disabled on a per mount basis by
+  specifying ``noacl`` on mount.
 
 cifsacl
   This option is used to map CIFS/NTFS ACLs to/from Linux permission
@@ -750,8 +751,19 @@ bits, and POSIX ACL as user authentication model. This is the most
 common authentication model for CIFS servers and is the one used by
 Windows.
 
-Support for this requires both CIFS_XATTR and CIFS_ACL support in the
-CIFS configuration options when building the cifs module.
+Support for this requires cifs kernel module built with both
+``CONFIG_CIFS_XATTR`` and ``CONFIG_CIFS_ACL`` options enabled.  Since
+Linux 5.3, ``CONFIG_CIFS_ACL`` option no longer exists as CIFS/NTFS
+ACL support is always built into cifs kernel module.
+
+Most distribution kernels will already have those options enabled by
+default, but you can still check if they are enabled with::
+
+  cat /lib/modules/$(uname -r)/build/.config
+
+Alternatively, if kernel is configured with ``CONFIG_IKCONFIG_PROC``::
+
+  zcat /proc/config.gz
 
 A CIFS/NTFS ACL is mapped to file permission bits using an algorithm
 specified in the following Microsoft TechNet document:
-- 
2.44.0

Re: [PATCH 2/2] mount.cifs.rst: update section about xattr/acl support

[Steve French]

You can add my Reviewed-by: Steve French <stfrench@microsoft.com>

On Sun, Mar 10, 2024 at 8:24 PM Paulo Alcantara <pc@manguebit.com> wrote:
>
> Update section about required xattr/acl support for UID/GID mapping.
>
> Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
> ---
>  mount.cifs.rst | 26 +++++++++++++++++++-------
>  1 file changed, 19 insertions(+), 7 deletions(-)
>
> diff --git a/mount.cifs.rst b/mount.cifs.rst
> index f0ddef97a0e8..bd39c165c130 100644
> --- a/mount.cifs.rst
> +++ b/mount.cifs.rst
> @@ -321,11 +321,12 @@ soft
>  noacl
>    Do not allow POSIX ACL operations even if server would support them.
>
> -  The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba
> -  servers version 3.0.10 and later. Setting POSIX ACLs requires enabling
> -  both ``CIFS_XATTR`` and then ``CIFS_POSIX`` support in the CIFS
> -  configuration options when building the cifs module. POSIX ACL support
> -  can be disabled on a per mount basis by specifying ``noacl`` on mount.
> +  The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to
> +  Samba servers version 3.0.10 and later. Setting POSIX ACLs requires
> +  enabling both ``CONFIG_CIFS_XATTR`` and then ``CONFIG_CIFS_POSIX``
> +  support in the CIFS configuration options when building the cifs
> +  module. POSIX ACL support can be disabled on a per mount basis by
> +  specifying ``noacl`` on mount.
>
>  cifsacl
>    This option is used to map CIFS/NTFS ACLs to/from Linux permission
> @@ -750,8 +751,19 @@ bits, and POSIX ACL as user authentication model. This is the most
>  common authentication model for CIFS servers and is the one used by
>  Windows.
>
> -Support for this requires both CIFS_XATTR and CIFS_ACL support in the
> -CIFS configuration options when building the cifs module.
> +Support for this requires cifs kernel module built with both
> +``CONFIG_CIFS_XATTR`` and ``CONFIG_CIFS_ACL`` options enabled.  Since
> +Linux 5.3, ``CONFIG_CIFS_ACL`` option no longer exists as CIFS/NTFS
> +ACL support is always built into cifs kernel module.
> +
> +Most distribution kernels will already have those options enabled by
> +default, but you can still check if they are enabled with::
> +
> +  cat /lib/modules/$(uname -r)/build/.config
> +
> +Alternatively, if kernel is configured with ``CONFIG_IKCONFIG_PROC``::
> +
> +  zcat /proc/config.gz
>
>  A CIFS/NTFS ACL is mapped to file permission bits using an algorithm
>  specified in the following Microsoft TechNet document:
> --
> 2.44.0
>
>


-- 
Thanks,

Steve

Re: [PATCH 1/2] mount.cifs.rst: add missing reference for sssd

[Steve French]

You can add
Reviewed-by: Steve French <stfrench@microsoft.com>

On Sun, Mar 10, 2024 at 8:24 PM Paulo Alcantara <pc@manguebit.com> wrote:
>
> Reference sssd in mount.cifs(8) as it can be used instead of winbind
> via cifs.idmap utility.  It's also enabled by default in most systems.
>
> Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
> ---
>  mount.cifs.rst | 14 +++++++-------
>  1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/mount.cifs.rst b/mount.cifs.rst
> index 9d4446f035b6..f0ddef97a0e8 100644
> --- a/mount.cifs.rst
> +++ b/mount.cifs.rst
> @@ -761,10 +761,10 @@ specified in the following Microsoft TechNet document:
>  In order to map SIDs to/from UIDs and GIDs, the following is required:
>
>  - a kernel upcall to the ``cifs.idmap`` utility set up via request-key.conf(5)
> -- winbind support configured via nsswitch.conf(5) and smb.conf(5)
> +- winbind or sssd support configured via nsswitch.conf(5)
>
> -Please refer to the respective manpages of cifs.idmap(8) and
> -winbindd(8) for more information.
> +Please refer to the respective manpages of cifs.idmap(8), winbindd(8)
> +and sssd(8) for more information.
>
>  Security descriptors for a file object can be retrieved and set
>  directly using extended attribute named ``system.cifs_acl``. The
> @@ -780,10 +780,10 @@ Some of the things to consider while using this mount option:
>  - The mapping between a CIFS/NTFS ACL and POSIX file permission bits
>    is imperfect and some ACL information may be lost in the
>    translation.
> -- If either upcall to cifs.idmap is not setup correctly or winbind is
> -  not configured and running, ID mapping will fail. In that case uid
> -  and gid will default to either to those values of the share or to
> -  the values of uid and/or gid mount options if specified.
> +- If either upcall to cifs.idmap is not setup correctly or winbind or
> +  sssd is not configured and running, ID mapping will fail. In that
> +  case uid and gid will default to either to those values of the share
> +  or to the values of uid and/or gid mount options if specified.
>
>  **********************************
>  ACCESSING FILES WITH BACKUP INTENT
> --
> 2.44.0
>
>


-- 
Thanks,

Steve