Packages and Binaries:
cifs-utils
Common Internet File System utilities
The SMB/CIFS protocol provides support for cross-platform file sharing with
Microsoft Windows, OS X, and other Unix systems.
This package provides utilities for managing mounts of CIFS network file systems.
Installed size: 351 KB
How to install: sudo apt install cifs-utils
Dependencies:
- libc6
- libcap-ng0
- libgssapi-krb5-2
- libkeyutils1
- libkrb5-3
- libpam0g
- libtalloc2
- libwbclient0
- python3
cifs.idmap
Userspace helper for mapping ids for Common Internet File System (CIFS)
root@kali:~# cifs.idmap -h
Usage: cifs.idmap [-h] [-v] [-t timeout] key_serial
cifs.upcall
Userspace upcall helper for Common Internet File System (CIFS)
root@kali:~# man cifs.upcall
CIFS.UPCALL(8) System Manager's Manual CIFS.UPCALL(8)
NAME
cifs.upcall - Userspace upcall helper for Common Internet File System
(CIFS)
SYNOPSIS
cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
[--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
[--keytab=/path/to/keytab|-K /path/to/keytab] [--expire|-e
nsecs] {keyid}
DESCRIPTION
This tool is part of the cifs-utils suite.
cifs.upcall is a userspace helper program for the linux CIFS client
filesystem. There are a number of activities that the kernel cannot easily
do itself. This program is a callout program that does these things for
the kernel and then returns the result.
cifs.upcall is generally intended to be run when the kernel calls re-
quest-key(8) for a particular key type. While it can be run directly from
the command-line, it's not generally intended to be run that way.
OPTIONS
-c This option is deprecated and is currently ignored.
--no-env-probe|-E
Normally, cifs.upcall will probe the environment variable space of
the process that initiated the upcall in order to fetch the value
of $KRB5CCNAME. This can assist the program with finding credential
caches in non-default locations. If this option is set, then the
program won't do this and will rely on finding credcaches in the
default locations specified in krb5.conf. Note that this is never
performed when the uid is 0. The default credcache location is al-
ways used when the uid is 0, regardless of the environment variable
setting in the process.
--krb5conf|-k=/path/to/krb5.conf
This option allows administrators to set an alternate location for
the krb5.conf file that cifs.upcall will use.
--keytab=|-K=/path/to/keytab
This option allows administrators to specify a keytab file to be
used. When a user has no credential cache already established,
cifs.upcall will attempt to use this keytab to acquire them. The
default is the system-wide keytab /etc/krb5.keytab.
--trust-dns|-t
With krb5 upcalls, the name used as the host portion of the service
principal defaults to the hostname portion of the UNC. This option
allows the upcall program to reverse resolve the network address of
the server in order to get the hostname.
This is less secure than not trusting DNS. When using this option,
it's possible that an attacker could get control of DNS and trick
the client into mounting a different server altogether. It's
preferable to instead add server principals to the KDC for every
possible hostname, but this option exists for cases where that
isn't possible. The default is to not trust reverse hostname
lookups in this fashion.
--legacy-uid|-l
Traditionally, the kernel has sent only a single uid= parameter to
the upcall for the SPNEGO upcall that's used to determine what
user's credential cache to use. This parameter is affected by the
uid= mount option, which also governs the ownership of files on the
mount.
Newer kernels send a creduid= option as well, which contains what
uid it thinks actually owns the credentials that it's looking for.
At mount time, this is generally set to the real uid of the user
doing the mount. For multisession mounts, it's set to the fsuid of
the mount user. Set this option if you want cifs.upcall to use the
older uid= parameter instead of the creduid= parameter.
--expire|-e
Override default timeout value (600 seconds) for dns_resolver key.
--version|-v
Print version number and exit.
ENVIRONMENT VARIABLES
GSS_USE_PROXY="yes"
Enable usage of gssproxy for credential retrieval. This includes
keytab based client initiation as well as (Resource Based) Con-
strained Delegation. See gssproxy-mech(8).
CONFIGURATION FOR KEYCTL
cifs.upcall is designed to be called from the kernel via the request-key
callout program. This requires that request-key be told where and how to
call this program. The current cifs.upcall program handles two different
key types:
cifs.spnego
This keytype is for retrieving kerberos session keys
dns_resolver
This key type is for resolving hostnames into IP addresses. Support
for this key type may eventually be deprecated (see below).
To make this program useful for CIFS, you'll need to set up entries
for them in request-key.conf(5). Here's an example of an entry for
each key type:
#OPERATION TYPE D C PROGRAM ARG1 ARG2...
#========= ============= = = ================================
create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
See request-key.conf(5) for more info on each field.
The keyutils package has also started including a dns_resolver han-
dling program as well that is preferred over the one in cifs.up-
call. If you are using a keyutils version equal to or greater than
1.5, you should use key.dns_resolver to handle the dns_resolver
keytype instead of cifs.upcall. See key.dns_resolver(8) for more
info.
SEE ALSO
request-key.conf(5), mount.cifs(8), key.dns_resolver(8)
AUTHOR
Igor Mammedov wrote the cifs.upcall program.
Jeff Layton authored this manpage.
The maintainer of the Linux CIFS VFS is Steve French.
The Linux CIFS Mailing list is the preferred place to ask questions re-
garding these programs.
CIFS.UPCALL(8)
cifscreds
Manage NTLM credentials in kernel keyring
root@kali:~# cifscreds -h
cifscreds: invalid option -- 'h'
Usage:
cifscreds add [-u username] [-d] <host|domain> [-t timeout]
cifscreds clear [-u username] [-d] <host|domain>
cifscreds clearall
cifscreds update [-u username] [-d] <host|domain>
getcifsacl
Userspace helper to display an ACL in a security descriptor for Common Internet File System (CIFS)
root@kali:~# getcifsacl --help
getcifsacl: invalid option -- '-'
getcifsacl: Display CIFS/NTFS ACL in a security descriptor of a file object
Usage: getcifsacl [option] <file_name1> [<file_name2>,<file_name3>,...]
Valid options:
-h Display this help text
-v Version of the program
-R recurse into subdirectories
-r Display raw values of the ACE fields
Refer to getcifsacl(1) manpage for details
mount.cifs
Mount using the Common Internet File System (CIFS)
root@kali:~# mount.cifs -h
Usage: mount.cifs <remotetarget> <dir> -o <options>
Mount the remote target, specified as a UNC name, to a local directory.
Options:
user=<arg>
pass=<arg>
dom=<arg>
Less commonly used options:
credentials=<filename>,guest,perm,noperm,setuids,nosetuids,rw,ro,
sep=<char>,iocharset=<codepage>,suid,nosuid,exec,noexec,serverino,
noserverino,mapchars,nomapchars,nolock,servernetbiosname=<SRV_RFC1001NAME>
cache=<strict|none|loose>,nounix,cifsacl,sec=<authentication mechanism>,
sign,seal,fsc,snapshot=<token|time>,nosharesock,persistenthandles,
resilienthandles,rdma,vers=<smb_dialect>,cruid,password2=<alt password>
Options not needed for servers supporting CIFS Unix extensions
(e.g. unneeded for mounts to most Samba versions):
uid=<uid>,gid=<gid>,dir_mode=<mode>,file_mode=<mode>,sfu,
mfsymlinks,idsfromsid
Rarely used options:
port=<tcpport>,rsize=<size>,wsize=<size>,unc=<unc_name>,ip=<ip_address>,
dev,nodev,nouser_xattr,netbiosname=<OUR_RFC1001NAME>,hard,soft,intr,
nointr,ignorecase,noposixpaths,noacl,prefixpath=<path>,nobrl,
echo_interval=<seconds>,actimeo=<seconds>,max_credits=<credits>,
bsize=<size>
Options are described in more detail in the manual page
man 8 mount.cifs
To display the version number of the mount helper:
mount.cifs -V
mount.smb3
Mount using the Common Internet File System (CIFS)
root@kali:~# mount.smb3 -h
Usage: mount.smb3 <remotetarget> <dir> -o <options>
Mount the remote target, specified as a UNC name, to a local directory.
Options:
user=<arg>
pass=<arg>
dom=<arg>
Less commonly used options:
credentials=<filename>,guest,perm,noperm,setuids,nosetuids,rw,ro,
sep=<char>,iocharset=<codepage>,suid,nosuid,exec,noexec,serverino,
noserverino,mapchars,nomapchars,nolock,servernetbiosname=<SRV_RFC1001NAME>
cache=<strict|none|loose>,nounix,cifsacl,sec=<authentication mechanism>,
sign,seal,fsc,snapshot=<token|time>,nosharesock,persistenthandles,
resilienthandles,rdma,vers=<smb_dialect>,cruid,password2=<alt password>
Options not needed for servers supporting CIFS Unix extensions
(e.g. unneeded for mounts to most Samba versions):
uid=<uid>,gid=<gid>,dir_mode=<mode>,file_mode=<mode>,sfu,
mfsymlinks,idsfromsid
Rarely used options:
port=<tcpport>,rsize=<size>,wsize=<size>,unc=<unc_name>,ip=<ip_address>,
dev,nodev,nouser_xattr,netbiosname=<OUR_RFC1001NAME>,hard,soft,intr,
nointr,ignorecase,noposixpaths,noacl,prefixpath=<path>,nobrl,
echo_interval=<seconds>,actimeo=<seconds>,max_credits=<credits>,
bsize=<size>
Options are described in more detail in the manual page
man 8 mount.smb3
To display the version number of the mount helper:
mount.smb3 -V
setcifsacl
Userspace helper to alter components of a security descriptor for Common Internet File System (CIFS)
root@kali:~# setcifsacl -h
setcifsacl: Alter components of CIFS/NTFS security descriptor of a file object
Usage: setcifsacl option [<list_of_ACEs>|<SID>] <file_name>
Valid options:
-v Version of the program
-U Used in combination with -a, -D, -M, -S in order to
apply the actions to SALC (aUdit ACL); if not specified,
the actions apply to DACL
-a Add ACE(s), separated by a comma, to an ACL
setcifsacl -a "ACL:Administrator:ALLOWED/0x0/FULL" <file_name>
-A Add ACE(s) and reorder, separated by a comma, to an ACL
setcifsacl -A "ACL:Administrator:ALLOWED/0x0/FULL" <file_name>
-D Delete ACE(s), separated by a comma, from an ACL
setcifsacl -D "ACL:Administrator:DENIED/0x0/D" <file_name>
-M Modify ACE(s), separated by a comma, in an ACL
setcifsacl -M "ACL:user1:ALLOWED/0x0/0x1e01ff" <file_name>
-S Replace existing ACL with ACE(s), separated by a comma
setcifsacl -S "ACL:Administrator:ALLOWED/0x0/D" <file_name>
-o Set owner using specified SID (name or raw format)
setcifsacl -o "Administrator" <file_name>
-g Set group using specified SID (name or raw format)
setcifsacl -g "Administrators" <file_name>
Refer to setcifsacl(1) manpage for details
smb2-quota
Userspace helper to display quota information for the Linux SMB client file system (CIFS)
root@kali:~# smb2-quota -h
usage: smb2-quota [-h] [-t] [-c] [-l] <filename>
Please specify an action to perform.
positional arguments:
<filename> filename on a share
options:
-h, --help show this help message and exit
-t, --tabular print quota information in tabular format
-c, --csv print quota information in csv format
-l, --list print quota information in list format
smbinfo
Userspace helper to display SMB-specific file information for the Linux SMB client file system (CIFS)
root@kali:~# smbinfo -h
usage: smbinfo [-h] [-V]
{fileaccessinfo,filealigninfo,fileallinfo,filebasicinfo,fileeainfo,filefsfullsizeinfo,fileinternalinfo,filemodeinfo,filepositioninfo,filestandardinfo,filestreaminfo,fsctl-getobjid,getcompression,setcompression,list-snapshots,quota,secdesc,keys,gettconinfo} ...
Display SMB-specific file information using cifs IOCTL
positional arguments:
{fileaccessinfo,filealigninfo,fileallinfo,filebasicinfo,fileeainfo,filefsfullsizeinfo,fileinternalinfo,filemodeinfo,filepositioninfo,filestandardinfo,filestreaminfo,fsctl-getobjid,getcompression,setcompression,list-snapshots,quota,secdesc,keys,gettconinfo}
sub-commands help
fileaccessinfo Prints FileAccessInfo for a cifs file
filealigninfo Prints FileAlignInfo for a cifs file
fileallinfo Prints FileAllInfo for a cifs file
filebasicinfo Prints FileBasicInfo for a cifs file
fileeainfo Prints FileEAInfo for a cifs file
filefsfullsizeinfo Prints FileFsFullSizeInfo for a cifs file
fileinternalinfo Prints FileInternalInfo for a cifs file
filemodeinfo Prints FileModeInfo for a cifs file
filepositioninfo Prints FilePositionInfo for a cifs file
filestandardinfo Prints FileStandardInfo for a cifs file
filestreaminfo Prints FileStreamInfo for a cifs file
fsctl-getobjid Prints the objectid of the file and GUID of the
underlying volume.
getcompression Prints the compression setting for the file
setcompression Sets the compression level for the file
list-snapshots List the previous versions of the volume that backs
this file
quota Prints the quota for a cifs file
secdesc Prints the security descriptor for a cifs file
keys Prints the decryption information needed to view
encrypted network traces
gettconinfo Prints TCON Id and Session Id for a cifs file
options:
-h, --help show this help message and exit
-V, --verbose verbose output
Updated on: 2026-May-25