From 0626e6641f6b467447c81dd7678a69c66f7746cf Mon Sep 17 00:00:00 2001 From: Namjae Jeon Date: Tue, 16 Mar 2021 13:07:11 +0900 Subject: cifsd: add server handler for central processing and tranport layers This adds server handler for central processing, transport layers(tcp, rdma, ipc) and a document describing cifsd architecture. Signed-off-by: Namjae Jeon Signed-off-by: Sergey Senozhatsky Signed-off-by: Hyunchul Lee Acked-by: Ronnie Sahlberg Signed-off-by: Steve French --- Documentation/filesystems/cifs/cifsd.rst | 136 +++++++++++++++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 Documentation/filesystems/cifs/cifsd.rst (limited to 'Documentation') diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst new file mode 100644 index 000000000000..e0c33d03f290 --- /dev/null +++ b/Documentation/filesystems/cifs/cifsd.rst @@ -0,0 +1,136 @@ +.. SPDX-License-Identifier: GPL-2.0 + +========================= +CIFSD - SMB3 Kernel Server +========================= + +CIFSD is a linux kernel server which implements SMB3 protocol in kernel space +for sharing files over network. + +CIFSD architecture +================== + +The subset of performance related operations belong in kernelspace and +the other subset which belong to operations which are not really related with +performance in userspace. So, DCE/RPC management that has historically resulted +into number of buffer overflow issues and dangerous security bugs and user +account management are implemented in user space as ksmbd.mountd. +File operations that are related with performance (open/read/write/close etc.) +in kernel space (ksmbd). This also allows for easier integration with VFS +interface for all file operations. + +ksmbd (kernel daemon) +--------------------- + +When the server daemon is started, It starts up a forker thread +(ksmbd/interface name) at initialization time and open a dedicated port 445 +for listening to SMB requests. Whenever new clients make request, Forker +thread will accept the client connection and fork a new thread for dedicated +communication channel between the client and the server. It allows for parallel +processing of SMB requests(commands) from clients as well as allowing for new +clients to make new connections. Each instance is named ksmbd/1~n(port number) +to indicate connected clients. Depending on the SMB request types, each new +thread can decide to pass through the commands to the user space (ksmbd.mountd), +currently DCE/RPC commands are identified to be handled through the user space. +To further utilize the linux kernel, it has been chosen to process the commands +as workitems and to be executed in the handlers of the ksmbd-io kworker threads. +It allows for multiplexing of the handlers as the kernel take care of initiating +extra worker threads if the load is increased and vice versa, if the load is +decreased it destroys the extra worker threads. So, after connection is +established with client. Dedicated ksmbd/1..n(port number) takes complete +ownership of receiving/parsing of SMB commands. Each received command is worked +in parallel i.e., There can be multiple clients commands which are worked in +parallel. After receiving each command a separated kernel workitem is prepared +for each command which is further queued to be handled by ksmbd-io kworkers. +So, each SMB workitem is queued to the kworkers. This allows the benefit of load +sharing to be managed optimally by the default kernel and optimizing client +performance by handling client commands in parallel. + +ksmbd.mountd (user space daemon) +-------------------------------- + +ksmbd.mountd is userspace process to, transfer user account and password that +are registered using ksmbd.adduser(part of utils for user space). Further it +allows sharing information parameters that parsed from smb.conf to ksmbd in +kernel. For the execution part it has a daemon which is continuously running +and connected to the kernel interface using netlink socket, it waits for the +requests(dcerpc and share/user info). It handles RPC calls (at a minimum few +dozen) that are most important for file server from NetShareEnum and +NetServerGetInfo. Complete DCE/RPC response is prepared from the user space +and passed over to the associated kernel thread for the client. + +Key Features +============ + +The supported features are: + * SMB3 protocols for basic file sharing + * Auto negotiation + * Compound requests + * Oplock/Lease + * Large MTU + * NTLM/NTLMv2 + * HMAC-SHA256 Signing + * Secure negotiate + * Signing Update + * Pre-authentication integrity(SMB 3.1.1) + * SMB3 encryption(CCM, GCM) + * SMB direct(RDMA) + * SMB3.1.1 POSIX extension support + * ACLs + * Kerberos + +The features that are planned or not supported: + * SMB3 Multi-channel + * Durable handle v1,v2 + * Persistent handles + * Directory lease + * SMB2 notify + +How to run +========== + +1. Download ksmbd-tools and compile them. + - https://github.com/cifsd-team/ksmbd-tools + +2. Create user/password for SMB share. + + # mkdir /etc/ksmbd/ + # ksmbd.adduser -a + +3. Create /etc/ksmbd/smb.conf file, add SMB share in smb.conf file + - Refer smb.conf.example and Documentation/configuration.txt + in ksmbd-tools + +4. Insert ksmbd.ko module + + # insmod ksmbd.ko + +5. Start ksmbd user space daemon + # ksmbd.mountd + +6. Access share from Windows or Linux using CIFS + +Shutdown CIFSD +============== + +1. kill user and kernel space daemon + # sudo ksmbd.control -s + +How to turn debug print on +========================== + +Each layer +/sys/class/ksmbd-control/debug + +1. Enable all component prints + # sudo ksmbd.control -d "all" + +2. Enable one of components(smb, auth, vfs, oplock, ipc, conn, rdma) + # sudo ksmbd.control -d "smb" + +3. Show what prints are enable. + # cat/sys/class/ksmbd-control/debug + [smb] auth vfs oplock ipc conn [rdma] + +4. Disable prints: + If you try the selected component once more, It is disabled without brackets. -- cgit v1.2.3 From c0e8110e6c75758c4567f8e713f26e5dbd88cc7c Mon Sep 17 00:00:00 2001 From: Namjae Jeon Date: Wed, 17 Mar 2021 16:52:17 +0900 Subject: cifsd: fix WARNING: Title overline too short Stephen reported a warning message from cifsd.rst file. Documentation/filesystems/cifs/cifsd.rst:3: WARNING: Title overline too short. Reported-by: Stephen Rothwell Signed-off-by: Namjae Jeon Signed-off-by: Steve French --- Documentation/filesystems/cifs/cifsd.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Documentation') diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst index e0c33d03f290..af3589da6923 100644 --- a/Documentation/filesystems/cifs/cifsd.rst +++ b/Documentation/filesystems/cifs/cifsd.rst @@ -1,8 +1,8 @@ .. SPDX-License-Identifier: GPL-2.0 -========================= +========================== CIFSD - SMB3 Kernel Server -========================= +========================== CIFSD is a linux kernel server which implements SMB3 protocol in kernel space for sharing files over network. -- cgit v1.2.3 From 42da4086b987fbb35562e93e534e57ad3f81f855 Mon Sep 17 00:00:00 2001 From: Namjae Jeon Date: Wed, 17 Mar 2021 16:55:28 +0900 Subject: cifsd: fix WARNING: document isn't included in any toctree Stephen reported a warning message from cifsd.rst file. Documentation/filesystems/cifs/cifsd.rst: WARNING: document isn't included in any toctree Reported-by: Stephen Rothwell Signed-off-by: Namjae Jeon Signed-off-by: Steve French --- Documentation/filesystems/index.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'Documentation') diff --git a/Documentation/filesystems/index.rst b/Documentation/filesystems/index.rst index d4853cb919d2..ac9396f2bb8a 100644 --- a/Documentation/filesystems/index.rst +++ b/Documentation/filesystems/index.rst @@ -72,6 +72,7 @@ Documentation for filesystem implementations. befs bfs btrfs + cifs/cifsd cifs/cifsroot ceph coda -- cgit v1.2.3 From 04bee6e336be1accb7f28d8e86454f42b58a860f Mon Sep 17 00:00:00 2001 From: Namjae Jeon Date: Sat, 20 Mar 2021 16:06:59 +0900 Subject: cifsd: update cifsd.rst document Add work flow of cifsd and feature stats table. Signed-off-by: Namjae Jeon Signed-off-by: Steve French --- Documentation/filesystems/cifs/cifsd.rst | 96 +++++++++++++++++++++++--------- 1 file changed, 70 insertions(+), 26 deletions(-) (limited to 'Documentation') diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst index af3589da6923..7eac7e459c2d 100644 --- a/Documentation/filesystems/cifs/cifsd.rst +++ b/Documentation/filesystems/cifs/cifsd.rst @@ -10,6 +10,34 @@ for sharing files over network. CIFSD architecture ================== + |--- ... + --------|--- ksmbd/3 - Client 3 + |-------|--- ksmbd/2 - Client 2 + | | ____________________________________________________ + | | |- Client 1 | +<--- Socket ---|--- ksmbd/1 <<= Authentication : NTLM/NTLM2, Kerberos | + | | | | <<= SMB engine : SMB2, SMB2.1, SMB3, SMB3.0.2, | + | | | | SMB3.1.1 | + | | | |____________________________________________________| + | | | + | | |--- VFS --- Local Filesystem + | | +KERNEL |--- ksmbd/0(forker kthread) +---------------||--------------------------------------------------------------- +USER || + || communication using NETLINK + || ______________________________________________ + || | | + ksmbd.mountd <<= DCE/RPC(srvsvc, wkssvc, smar, lsarpc) | + ^ | <<= configure shares setting, user accounts | + | |______________________________________________| + | + |------ smb.conf(config file) + | + |------ ksmbdpwd.db(user account/password file) + ^ + ksmbd.adduser ---------------| + The subset of performance related operations belong in kernelspace and the other subset which belong to operations which are not really related with performance in userspace. So, DCE/RPC management that has historically resulted @@ -59,32 +87,48 @@ dozen) that are most important for file server from NetShareEnum and NetServerGetInfo. Complete DCE/RPC response is prepared from the user space and passed over to the associated kernel thread for the client. -Key Features -============ - -The supported features are: - * SMB3 protocols for basic file sharing - * Auto negotiation - * Compound requests - * Oplock/Lease - * Large MTU - * NTLM/NTLMv2 - * HMAC-SHA256 Signing - * Secure negotiate - * Signing Update - * Pre-authentication integrity(SMB 3.1.1) - * SMB3 encryption(CCM, GCM) - * SMB direct(RDMA) - * SMB3.1.1 POSIX extension support - * ACLs - * Kerberos - -The features that are planned or not supported: - * SMB3 Multi-channel - * Durable handle v1,v2 - * Persistent handles - * Directory lease - * SMB2 notify + +CIFSD Feature Status +==================== + +============================== ================================================= +Feature name Status +============================== ================================================= +Dialects Supported. SMB2.1 SMB3.0, SMB3.1.1 dialects + excluding security vulnerable SMB1. +Auto Negotiation Supported. +Compound Request Supported. +Oplock Cache Mechanism Supported. +SMB2 leases(v1 lease) Supported. +Directory leases(v2 lease) Planned for future. +Multi-credits Supported. +NTLM/NTLMv2 Supported. +HMAC-SHA256 Signing Supported. +Secure negotiate Supported. +Signing Update Supported. +Pre-authentication integrity Supported. +SMB3 encryption(CCM, GCM) Supported. +SMB direct(RDMA) Partial Supported. SMB3 Multi-channel is required + to connect to Windows client. +SMB3 Multi-channel In Progress. +SMB3.1.1 POSIX extension Supported. +ACLs Partial Supported. only DACLs available, SACLs is + planned for future. ksmbd generate random subauth + values(then store it to disk) and use uid/gid + get from inode as RID for local domain SID. + The current acl implementation is limited to + standalone server, not a domain member. +Kerberos Supported. +Durable handle v1,v2 Planned for future. +Persistent handle Planned for future. +SMB2 notify Planned for future. +Sparse file support Supported. +DCE/RPC support Partial Supported. a few calls(NetShareEnumAll, + NetServerGetInfo, SAMR, LSARPC) that needed as + file server via netlink interface from + ksmbd.mountd. +============================== ================================================= + How to run ========== -- cgit v1.2.3 From 04165366515a2ba36c78540da776d3a12164f824 Mon Sep 17 00:00:00 2001 From: Namjae Jeon Date: Sat, 20 Mar 2021 16:19:01 +0900 Subject: cifsd: add index.rst in cifs documentation Since more than one file is in the cifs document directory, This patch add an index.rst. Signed-off-by: Namjae Jeon Signed-off-by: Steve French --- Documentation/filesystems/cifs/index.rst | 10 ++++++++++ Documentation/filesystems/index.rst | 3 +-- 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 Documentation/filesystems/cifs/index.rst (limited to 'Documentation') diff --git a/Documentation/filesystems/cifs/index.rst b/Documentation/filesystems/cifs/index.rst new file mode 100644 index 000000000000..e762586b5dc7 --- /dev/null +++ b/Documentation/filesystems/cifs/index.rst @@ -0,0 +1,10 @@ +=============================== +CIFS +=============================== + + +.. toctree:: + :maxdepth: 1 + + cifsd + cifsroot diff --git a/Documentation/filesystems/index.rst b/Documentation/filesystems/index.rst index ac9396f2bb8a..bdba80ae2bb1 100644 --- a/Documentation/filesystems/index.rst +++ b/Documentation/filesystems/index.rst @@ -72,8 +72,7 @@ Documentation for filesystem implementations. befs bfs btrfs - cifs/cifsd - cifs/cifsroot + cifs/index ceph coda configfs -- cgit v1.2.3 From 269d3feec1b0f0c286ff3cc3eef43416614ee261 Mon Sep 17 00:00:00 2001 From: Namjae Jeon Date: Tue, 23 Mar 2021 15:17:00 +0900 Subject: cifsd: fix build warnings from cifsd.rst Stephen reported a build warnings from cifsd.rst: Documentation/filesystems/cifs/cifsd.rst:13: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:14: WARNING: Block quote ends without a blank line; unexpected unindent. Documentation/filesystems/cifs/cifsd.rst:14: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:18: WARNING: Block quote ends without a blank line; unexpected unindent. Documentation/filesystems/cifs/cifsd.rst:23: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:23: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:24: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:25: WARNING: Definition list ends without a blank line; unexpected unindent. Documentation/filesystems/cifs/cifsd.rst:28: WARNING: Unexpected indentation. Documentation/filesystems/cifs/cifsd.rst:31: WARNING: Block quote ends without a blank line; unexpected unindent. Documentation/filesystems/cifs/cifsd.rst:38: WARNING: Unexpected indentation. Documentation/filesystems/cifs/cifsd.rst:32: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:32: WARNING: Inline substitution_reference start-string without end-string. Documentation/filesystems/cifs/cifsd.rst:39: WARNING: Block quote ends without a blank line; unexpected unindent. Documentation/filesystems/cifs/cifsd.rst:14: WARNING: Undefined substitution referenced: "--- ksmbd/3 - Client 3 |-------". Documentation/filesystems/cifs/cifsd.rst:0: WARNING: Undefined substitution referenced: "____________________________________________________". Documentation/filesystems/cifs/cifsd.rst:25: WARNING: Undefined substitution referenced: "--- ksmbd/0(forker kthread) ---------------|". Documentation/filesystems/cifs/cifsd.rst:32: WARNING: Undefined substitution referenced: "______________________________________________". Signed-off-by: Namjae Jeon Signed-off-by: Steve French --- Documentation/filesystems/cifs/cifsd.rst | 28 ---------------------------- 1 file changed, 28 deletions(-) (limited to 'Documentation') diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst index 7eac7e459c2d..48ae58f2a53c 100644 --- a/Documentation/filesystems/cifs/cifsd.rst +++ b/Documentation/filesystems/cifs/cifsd.rst @@ -10,34 +10,6 @@ for sharing files over network. CIFSD architecture ================== - |--- ... - --------|--- ksmbd/3 - Client 3 - |-------|--- ksmbd/2 - Client 2 - | | ____________________________________________________ - | | |- Client 1 | -<--- Socket ---|--- ksmbd/1 <<= Authentication : NTLM/NTLM2, Kerberos | - | | | | <<= SMB engine : SMB2, SMB2.1, SMB3, SMB3.0.2, | - | | | | SMB3.1.1 | - | | | |____________________________________________________| - | | | - | | |--- VFS --- Local Filesystem - | | -KERNEL |--- ksmbd/0(forker kthread) ----------------||--------------------------------------------------------------- -USER || - || communication using NETLINK - || ______________________________________________ - || | | - ksmbd.mountd <<= DCE/RPC(srvsvc, wkssvc, smar, lsarpc) | - ^ | <<= configure shares setting, user accounts | - | |______________________________________________| - | - |------ smb.conf(config file) - | - |------ ksmbdpwd.db(user account/password file) - ^ - ksmbd.adduser ---------------| - The subset of performance related operations belong in kernelspace and the other subset which belong to operations which are not really related with performance in userspace. So, DCE/RPC management that has historically resulted -- cgit v1.2.3 From 9cca7516f4c6373223d6059f1a69548fed74c5ed Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Fri, 2 Apr 2021 13:17:04 +0900 Subject: doc: cifsd: change the reference to configuration.txt added documentation for cifsd. There, it points to a file named: Documentation/configuration.txt This confuses Kernel scripts, as they think that this is a document within the Kernel tree, instead of a file from some other place. Replace it by an hyperlink to the ksmbd-tools tree, in order to avoid false-positives. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Namjae Jeon Signed-off-by: Steve French --- Documentation/filesystems/cifs/cifsd.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Documentation') diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst index 48ae58f2a53c..cb9f87b8529f 100644 --- a/Documentation/filesystems/cifs/cifsd.rst +++ b/Documentation/filesystems/cifs/cifsd.rst @@ -114,8 +114,8 @@ How to run # ksmbd.adduser -a 3. Create /etc/ksmbd/smb.conf file, add SMB share in smb.conf file - - Refer smb.conf.example and Documentation/configuration.txt - in ksmbd-tools + - Refer smb.conf.example and + https://github.com/cifsd-team/ksmbd-tools/blob/master/Documentation/configuration.txt 4. Insert ksmbd.ko module -- cgit v1.2.3 From 204fcceb7ccf43034da8e97078153c7c6d0bc84d Mon Sep 17 00:00:00 2001 From: Namjae Jeon Date: Wed, 28 Apr 2021 13:17:47 +0900 Subject: cifsd: add ksmbd/nfsd interoperability to feature table Add ksmbd/nfsd interoperability to feature table and sync with a table in patch cover letter. Signed-off-by: Namjae Jeon Signed-off-by: Steve French --- Documentation/filesystems/cifs/cifsd.rst | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) (limited to 'Documentation') diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst index cb9f87b8529f..01a0be272ce6 100644 --- a/Documentation/filesystems/cifs/cifsd.rst +++ b/Documentation/filesystems/cifs/cifsd.rst @@ -67,7 +67,8 @@ CIFSD Feature Status Feature name Status ============================== ================================================= Dialects Supported. SMB2.1 SMB3.0, SMB3.1.1 dialects - excluding security vulnerable SMB1. + (intentionally excludes security vulnerable SMB1 + dialect). Auto Negotiation Supported. Compound Request Supported. Oplock Cache Mechanism Supported. @@ -79,26 +80,37 @@ HMAC-SHA256 Signing Supported. Secure negotiate Supported. Signing Update Supported. Pre-authentication integrity Supported. -SMB3 encryption(CCM, GCM) Supported. -SMB direct(RDMA) Partial Supported. SMB3 Multi-channel is required - to connect to Windows client. +SMB3 encryption(CCM, GCM) Supported. (CCM and GCM128 supported, GCM256 in + progress) +SMB direct(RDMA) Partially Supported. SMB3 Multi-channel is + required to connect to Windows client. SMB3 Multi-channel In Progress. SMB3.1.1 POSIX extension Supported. -ACLs Partial Supported. only DACLs available, SACLs is - planned for future. ksmbd generate random subauth +ACLs Partially Supported. only DACLs available, SACLs + (auditing) is planned for the future. For + ownership (SIDs) ksmbd generates random subauth values(then store it to disk) and use uid/gid get from inode as RID for local domain SID. The current acl implementation is limited to standalone server, not a domain member. + Integration with Samba tools is being worked on + to allow future support for running as a domain + member. Kerberos Supported. Durable handle v1,v2 Planned for future. Persistent handle Planned for future. SMB2 notify Planned for future. Sparse file support Supported. -DCE/RPC support Partial Supported. a few calls(NetShareEnumAll, - NetServerGetInfo, SAMR, LSARPC) that needed as - file server via netlink interface from - ksmbd.mountd. +DCE/RPC support Partially Supported. a few calls(NetShareEnumAll, + NetServerGetInfo, SAMR, LSARPC) that are needed + for file server handled via netlink interface + from ksmbd.mountd. Additional integration with + Samba tools and libraries via upcall is being + investigated to allow support for additional + DCE/RPC management calls (and future support + for Witness protocol e.g.) +ksmbd/nfsd interoperability Planned for future. The features that ksmbd + support are Leases, Notify, ACLs and Share modes. ============================== ================================================= -- cgit v1.2.3 From 1a93084b9a89818aec0ac7b59a5a51f2112bf203 Mon Sep 17 00:00:00 2001 From: Namjae Jeon Date: Thu, 24 Jun 2021 10:34:11 +0900 Subject: ksmbd: move fs/cifsd to fs/ksmbd Move fs/cifsd to fs/ksmbd and rename the remaining cifsd name to ksmbd. Reviewed-by: Christoph Hellwig Signed-off-by: Namjae Jeon Signed-off-by: Steve French --- Documentation/filesystems/cifs/cifsd.rst | 164 ------------------------------- Documentation/filesystems/cifs/index.rst | 2 +- Documentation/filesystems/cifs/ksmbd.rst | 164 +++++++++++++++++++++++++++++++ 3 files changed, 165 insertions(+), 165 deletions(-) delete mode 100644 Documentation/filesystems/cifs/cifsd.rst create mode 100644 Documentation/filesystems/cifs/ksmbd.rst (limited to 'Documentation') diff --git a/Documentation/filesystems/cifs/cifsd.rst b/Documentation/filesystems/cifs/cifsd.rst deleted file mode 100644 index 01a0be272ce6..000000000000 --- a/Documentation/filesystems/cifs/cifsd.rst +++ /dev/null @@ -1,164 +0,0 @@ -.. SPDX-License-Identifier: GPL-2.0 - -========================== -CIFSD - SMB3 Kernel Server -========================== - -CIFSD is a linux kernel server which implements SMB3 protocol in kernel space -for sharing files over network. - -CIFSD architecture -================== - -The subset of performance related operations belong in kernelspace and -the other subset which belong to operations which are not really related with -performance in userspace. So, DCE/RPC management that has historically resulted -into number of buffer overflow issues and dangerous security bugs and user -account management are implemented in user space as ksmbd.mountd. -File operations that are related with performance (open/read/write/close etc.) -in kernel space (ksmbd). This also allows for easier integration with VFS -interface for all file operations. - -ksmbd (kernel daemon) ---------------------- - -When the server daemon is started, It starts up a forker thread -(ksmbd/interface name) at initialization time and open a dedicated port 445 -for listening to SMB requests. Whenever new clients make request, Forker -thread will accept the client connection and fork a new thread for dedicated -communication channel between the client and the server. It allows for parallel -processing of SMB requests(commands) from clients as well as allowing for new -clients to make new connections. Each instance is named ksmbd/1~n(port number) -to indicate connected clients. Depending on the SMB request types, each new -thread can decide to pass through the commands to the user space (ksmbd.mountd), -currently DCE/RPC commands are identified to be handled through the user space. -To further utilize the linux kernel, it has been chosen to process the commands -as workitems and to be executed in the handlers of the ksmbd-io kworker threads. -It allows for multiplexing of the handlers as the kernel take care of initiating -extra worker threads if the load is increased and vice versa, if the load is -decreased it destroys the extra worker threads. So, after connection is -established with client. Dedicated ksmbd/1..n(port number) takes complete -ownership of receiving/parsing of SMB commands. Each received command is worked -in parallel i.e., There can be multiple clients commands which are worked in -parallel. After receiving each command a separated kernel workitem is prepared -for each command which is further queued to be handled by ksmbd-io kworkers. -So, each SMB workitem is queued to the kworkers. This allows the benefit of load -sharing to be managed optimally by the default kernel and optimizing client -performance by handling client commands in parallel. - -ksmbd.mountd (user space daemon) --------------------------------- - -ksmbd.mountd is userspace process to, transfer user account and password that -are registered using ksmbd.adduser(part of utils for user space). Further it -allows sharing information parameters that parsed from smb.conf to ksmbd in -kernel. For the execution part it has a daemon which is continuously running -and connected to the kernel interface using netlink socket, it waits for the -requests(dcerpc and share/user info). It handles RPC calls (at a minimum few -dozen) that are most important for file server from NetShareEnum and -NetServerGetInfo. Complete DCE/RPC response is prepared from the user space -and passed over to the associated kernel thread for the client. - - -CIFSD Feature Status -==================== - -============================== ================================================= -Feature name Status -============================== ================================================= -Dialects Supported. SMB2.1 SMB3.0, SMB3.1.1 dialects - (intentionally excludes security vulnerable SMB1 - dialect). -Auto Negotiation Supported. -Compound Request Supported. -Oplock Cache Mechanism Supported. -SMB2 leases(v1 lease) Supported. -Directory leases(v2 lease) Planned for future. -Multi-credits Supported. -NTLM/NTLMv2 Supported. -HMAC-SHA256 Signing Supported. -Secure negotiate Supported. -Signing Update Supported. -Pre-authentication integrity Supported. -SMB3 encryption(CCM, GCM) Supported. (CCM and GCM128 supported, GCM256 in - progress) -SMB direct(RDMA) Partially Supported. SMB3 Multi-channel is - required to connect to Windows client. -SMB3 Multi-channel In Progress. -SMB3.1.1 POSIX extension Supported. -ACLs Partially Supported. only DACLs available, SACLs - (auditing) is planned for the future. For - ownership (SIDs) ksmbd generates random subauth - values(then store it to disk) and use uid/gid - get from inode as RID for local domain SID. - The current acl implementation is limited to - standalone server, not a domain member. - Integration with Samba tools is being worked on - to allow future support for running as a domain - member. -Kerberos Supported. -Durable handle v1,v2 Planned for future. -Persistent handle Planned for future. -SMB2 notify Planned for future. -Sparse file support Supported. -DCE/RPC support Partially Supported. a few calls(NetShareEnumAll, - NetServerGetInfo, SAMR, LSARPC) that are needed - for file server handled via netlink interface - from ksmbd.mountd. Additional integration with - Samba tools and libraries via upcall is being - investigated to allow support for additional - DCE/RPC management calls (and future support - for Witness protocol e.g.) -ksmbd/nfsd interoperability Planned for future. The features that ksmbd - support are Leases, Notify, ACLs and Share modes. -============================== ================================================= - - -How to run -========== - -1. Download ksmbd-tools and compile them. - - https://github.com/cifsd-team/ksmbd-tools - -2. Create user/password for SMB share. - - # mkdir /etc/ksmbd/ - # ksmbd.adduser -a - -3. Create /etc/ksmbd/smb.conf file, add SMB share in smb.conf file - - Refer smb.conf.example and - https://github.com/cifsd-team/ksmbd-tools/blob/master/Documentation/configuration.txt - -4. Insert ksmbd.ko module - - # insmod ksmbd.ko - -5. Start ksmbd user space daemon - # ksmbd.mountd - -6. Access share from Windows or Linux using CIFS - -Shutdown CIFSD -============== - -1. kill user and kernel space daemon - # sudo ksmbd.control -s - -How to turn debug print on -========================== - -Each layer -/sys/class/ksmbd-control/debug - -1. Enable all component prints - # sudo ksmbd.control -d "all" - -2. Enable one of components(smb, auth, vfs, oplock, ipc, conn, rdma) - # sudo ksmbd.control -d "smb" - -3. Show what prints are enable. - # cat/sys/class/ksmbd-control/debug - [smb] auth vfs oplock ipc conn [rdma] - -4. Disable prints: - If you try the selected component once more, It is disabled without brackets. diff --git a/Documentation/filesystems/cifs/index.rst b/Documentation/filesystems/cifs/index.rst index e762586b5dc7..1c8597a679ab 100644 --- a/Documentation/filesystems/cifs/index.rst +++ b/Documentation/filesystems/cifs/index.rst @@ -6,5 +6,5 @@ CIFS .. toctree:: :maxdepth: 1 - cifsd + ksmbd cifsroot diff --git a/Documentation/filesystems/cifs/ksmbd.rst b/Documentation/filesystems/cifs/ksmbd.rst new file mode 100644 index 000000000000..1e111efecd45 --- /dev/null +++ b/Documentation/filesystems/cifs/ksmbd.rst @@ -0,0 +1,164 @@ +.. SPDX-License-Identifier: GPL-2.0 + +========================== +KSMBD - SMB3 Kernel Server +========================== + +KSMBD is a linux kernel server which implements SMB3 protocol in kernel space +for sharing files over network. + +KSMBD architecture +================== + +The subset of performance related operations belong in kernelspace and +the other subset which belong to operations which are not really related with +performance in userspace. So, DCE/RPC management that has historically resulted +into number of buffer overflow issues and dangerous security bugs and user +account management are implemented in user space as ksmbd.mountd. +File operations that are related with performance (open/read/write/close etc.) +in kernel space (ksmbd). This also allows for easier integration with VFS +interface for all file operations. + +ksmbd (kernel daemon) +--------------------- + +When the server daemon is started, It starts up a forker thread +(ksmbd/interface name) at initialization time and open a dedicated port 445 +for listening to SMB requests. Whenever new clients make request, Forker +thread will accept the client connection and fork a new thread for dedicated +communication channel between the client and the server. It allows for parallel +processing of SMB requests(commands) from clients as well as allowing for new +clients to make new connections. Each instance is named ksmbd/1~n(port number) +to indicate connected clients. Depending on the SMB request types, each new +thread can decide to pass through the commands to the user space (ksmbd.mountd), +currently DCE/RPC commands are identified to be handled through the user space. +To further utilize the linux kernel, it has been chosen to process the commands +as workitems and to be executed in the handlers of the ksmbd-io kworker threads. +It allows for multiplexing of the handlers as the kernel take care of initiating +extra worker threads if the load is increased and vice versa, if the load is +decreased it destroys the extra worker threads. So, after connection is +established with client. Dedicated ksmbd/1..n(port number) takes complete +ownership of receiving/parsing of SMB commands. Each received command is worked +in parallel i.e., There can be multiple clients commands which are worked in +parallel. After receiving each command a separated kernel workitem is prepared +for each command which is further queued to be handled by ksmbd-io kworkers. +So, each SMB workitem is queued to the kworkers. This allows the benefit of load +sharing to be managed optimally by the default kernel and optimizing client +performance by handling client commands in parallel. + +ksmbd.mountd (user space daemon) +-------------------------------- + +ksmbd.mountd is userspace process to, transfer user account and password that +are registered using ksmbd.adduser(part of utils for user space). Further it +allows sharing information parameters that parsed from smb.conf to ksmbd in +kernel. For the execution part it has a daemon which is continuously running +and connected to the kernel interface using netlink socket, it waits for the +requests(dcerpc and share/user info). It handles RPC calls (at a minimum few +dozen) that are most important for file server from NetShareEnum and +NetServerGetInfo. Complete DCE/RPC response is prepared from the user space +and passed over to the associated kernel thread for the client. + + +KSMBD Feature Status +==================== + +============================== ================================================= +Feature name Status +============================== ================================================= +Dialects Supported. SMB2.1 SMB3.0, SMB3.1.1 dialects + (intentionally excludes security vulnerable SMB1 + dialect). +Auto Negotiation Supported. +Compound Request Supported. +Oplock Cache Mechanism Supported. +SMB2 leases(v1 lease) Supported. +Directory leases(v2 lease) Planned for future. +Multi-credits Supported. +NTLM/NTLMv2 Supported. +HMAC-SHA256 Signing Supported. +Secure negotiate Supported. +Signing Update Supported. +Pre-authentication integrity Supported. +SMB3 encryption(CCM, GCM) Supported. (CCM and GCM128 supported, GCM256 in + progress) +SMB direct(RDMA) Partially Supported. SMB3 Multi-channel is + required to connect to Windows client. +SMB3 Multi-channel In Progress. +SMB3.1.1 POSIX extension Supported. +ACLs Partially Supported. only DACLs available, SACLs + (auditing) is planned for the future. For + ownership (SIDs) ksmbd generates random subauth + values(then store it to disk) and use uid/gid + get from inode as RID for local domain SID. + The current acl implementation is limited to + standalone server, not a domain member. + Integration with Samba tools is being worked on + to allow future support for running as a domain + member. +Kerberos Supported. +Durable handle v1,v2 Planned for future. +Persistent handle Planned for future. +SMB2 notify Planned for future. +Sparse file support Supported. +DCE/RPC support Partially Supported. a few calls(NetShareEnumAll, + NetServerGetInfo, SAMR, LSARPC) that are needed + for file server handled via netlink interface + from ksmbd.mountd. Additional integration with + Samba tools and libraries via upcall is being + investigated to allow support for additional + DCE/RPC management calls (and future support + for Witness protocol e.g.) +ksmbd/nfsd interoperability Planned for future. The features that ksmbd + support are Leases, Notify, ACLs and Share modes. +============================== ================================================= + + +How to run +========== + +1. Download ksmbd-tools and compile them. + - https://github.com/cifsd-team/ksmbd-tools + +2. Create user/password for SMB share. + + # mkdir /etc/ksmbd/ + # ksmbd.adduser -a + +3. Create /etc/ksmbd/smb.conf file, add SMB share in smb.conf file + - Refer smb.conf.example and + https://github.com/cifsd-team/ksmbd-tools/blob/master/Documentation/configuration.txt + +4. Insert ksmbd.ko module + + # insmod ksmbd.ko + +5. Start ksmbd user space daemon + # ksmbd.mountd + +6. Access share from Windows or Linux using CIFS + +Shutdown KSMBD +============== + +1. kill user and kernel space daemon + # sudo ksmbd.control -s + +How to turn debug print on +========================== + +Each layer +/sys/class/ksmbd-control/debug + +1. Enable all component prints + # sudo ksmbd.control -d "all" + +2. Enable one of components(smb, auth, vfs, oplock, ipc, conn, rdma) + # sudo ksmbd.control -d "smb" + +3. Show what prints are enable. + # cat/sys/class/ksmbd-control/debug + [smb] auth vfs oplock ipc conn [rdma] + +4. Disable prints: + If you try the selected component once more, It is disabled without brackets. -- cgit v1.2.3 From 668fff017233ed7d1bc684a23cdf2875be1b5aea Mon Sep 17 00:00:00 2001 From: Namjae Jeon Date: Thu, 12 Aug 2021 11:32:28 +0900 Subject: ksmbd: update SMB3 multi-channel support in ksmbd.rst ksmbd start supporting SMB3 Multi-channel feature. Mark it as Partially supported till replay/retry mechanisms are implemented. Signed-off-by: Namjae Jeon Signed-off-by: Steve French --- Documentation/filesystems/cifs/ksmbd.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'Documentation') diff --git a/Documentation/filesystems/cifs/ksmbd.rst b/Documentation/filesystems/cifs/ksmbd.rst index 1e111efecd45..a1326157d53f 100644 --- a/Documentation/filesystems/cifs/ksmbd.rst +++ b/Documentation/filesystems/cifs/ksmbd.rst @@ -84,7 +84,8 @@ SMB3 encryption(CCM, GCM) Supported. (CCM and GCM128 supported, GCM256 in progress) SMB direct(RDMA) Partially Supported. SMB3 Multi-channel is required to connect to Windows client. -SMB3 Multi-channel In Progress. +SMB3 Multi-channel Partially Supported. Planned to implement + replay/retry mechanisms for future. SMB3.1.1 POSIX extension Supported. ACLs Partially Supported. only DACLs available, SACLs (auditing) is planned for the future. For -- cgit v1.2.3