ksmbd.conf - the configuration file for ksmbd.mountd

Copyright © 2015-2022 ksmbd-tools contributors. License GPLv2: GNU GPL version 2 <https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

ksmbd.conf is the configuration file for ksmbd.mountd(8) user mode daemon. ksmbd.addshare(8) can be used for configuring shares for ksmbd.conf. ksmbd.addshare modifies ksmbd.conf such that its existing formatting is not retained. ksmbd.addshare notifies ksmbd.mountd of changes, if it had made any, by sending the SIGHUP signal to ksmbd.mountd. Changes made with ksmbd.addshare will never require restarting ksmbd.mountd and ksmbd to take effect. ksmbd.control--reload can be used for notifying ksmbd.mountd of changes when not using ksmbd.addshare. ksmbd.conf is expected to be at /etc/ksmbd/ksmbd.conf by default. A configuration file that may serve as an example can be found at /etc/ksmbd/ksmbd.conf.example.

ksmbd.conf consists of sections (i.e. groups) with each section marking the end of the previous one. A section begins with the section name enclosed in brackets ([]) followed by a newline. A section may contain parameters separated by newlines. A parameter consists of a name (i.e. a key) and a value, in that order, separated by an equal sign (=). A name may contain leading and trailing tabs and spaces. A value, which begins immediately after the equal sign, may contain leading tabs and spaces or be empty. A value may be a list of multiple values separated by commas, tabs, and spaces. For a list of users, all users in a system group are given by giving the group name prefixed with an at (@). A value may have a number suffix, which is either K, M, G, T, P, or E. A semicolon (;) or a hash (#) marks the beginning of a comment which continues until the end of the line. If a section has the same name as a previous section, it is a continuation of that previous section, i.e. they are the same section. A duplicate parameter in a section has its value updated only if its previous value was empty.

ksmbd.conf - the configuration file for ksmbd.mountd

Share parameters, marked below with (S), can be given in any section. When a share parameter is given in a section other than global, it is specific to that particular share. Under the global section, a share parameter sets its default value for all shares. Global parameters, marked below with (G), can only be given in the global section and control functionality that applies to the server. Changes to global parameters apply only after restarting ksmbd.mountd and ksmbd. bindinterfacesonly (G) Only bind to interfaces given with interfaces. Default: bindinterfacesonly=nobrowseable (S) Share is seen in a net view and in the browse list. Default: browseable=yescomment (S) Description of the share as seen in a net view and and in the browse list. Default: comment=createmask (S) Octal bitmask that gets bitwise ANDed with DOS-to-UNIX-mapped permissions when creating a file. Default: createmask=0744crossmnt (S) Allow path lookup to cross a mountpoint to the root of a different filesystem. Default: crossmnt=yesdeadtime (G) Number of minutes of inactivity before a connection is considered dead and is then terminated. The connection is not terminated if it has any open files. With deadtime=0, no connection is considered dead due to inactivity. Default: deadtime=0directorymask (S) Octal bitmask that gets bitwise ANDed with DOS-to-UNIX-mapped permissions when creating a directory. Default: directorymask=0755durablehandles (G) Can grant SMB2 durable file handles on a share. Default: durablehandles=noforcecreatemode (S) Octal bitmask that gets bitwise ORed after the bitmask given with createmask is applied. Default: forcecreatemode=0000forcedirectorymode (S) Octal bitmask that gets bitwise ORed after the bitmask given with directorymask is applied. Default: forcedirectorymode=0000forcegroup (S) System group that all users connected to the share are mapped to. Default: forcegroup=forceuser (S) System user that all users connected to the share are mapped to. With forcegroup= , primary group of the system user is the respective system group. Default: forceuser=guestaccount (G) User that does not require a password when connecting to any share with guestok=yes. When connecting to such a share with the user left empty, the parameter determines what system user to map to. Default: guestaccount=nobodyguestaccount (S) User that does not require a password when connecting to the share with guestok=yes given. Default: guestaccount=guestok (S) Allow passwordless connections to the share as the user given with guestaccount and with the user left empty. Default: guestok=nohidedotfiles (S) Files starting with a dot appear as hidden files. Default: hidedotfiles=yesinheritowner (S) Ownership for new files and directories is controlled by the ownership of the parent directory. Default: inheritowner=nointerfaces (G) List of the interfaces that are listened to with bindinterfacesonly=yes given. Default: interfaces=invalidusers (S) List of the users that are disallowed to connect to the share. A user being in the list has precedence over it being in validusers. With invalidusers= , no user is disallowed. Default: invalidusers=ipctimeout (G) Number of seconds user space has time to reply to a heartbeat frame. If exceeded, all sessions and TCP connections will be closed. With ipctimeout=0, user space can reply whenever. Default: ipctimeout=0kerberoskeytabfile (G) Path of the keytab file for the service principal. If no value is given, it is the default keytab resolved with krb5_kt_default(3). Default: kerberoskeytabfile=kerberosservicename (G) Service principal name. If no value is given, it is cifs/ followed by the FQDN resolved with getaddrinfo(3). Default: kerberosservicename=kerberossupport (G) Support for Kerberos 5 authentication. For the parameter to take effect, ksmbd.mountd must be built against Kerberos 5. Default: kerberossupport=nomaptoguest (G) When to map a user to the user given with guestaccount. With maptoguest=baduser, map when the user does not exist. Default: maptoguest=nevermaxactivesessions (G) Maximum number of simultaneous sessions to all shares. Default: maxactivesessions=1024maxconnections (G) Maximum number of simultaneous connections to the server. With maxconnections=0, the value will be set to the maximum allowed number of 65536. Number suffixes are allowed. Default: maxconnections=128maxconnections (S) Maximum number of simultaneous connections to the share. With maxconnections=0, the value will be set to the maximum allowed number of 65536. Number suffixes are allowed. Default: maxconnections=128maxopenfiles (G) Maximum number of simultaneous open files for a client. Default: maxopenfiles=10000netbiosname (G) NetBIOS name. Default: netbiosname=KSMBDSERVERoplocks (S) Issue oplocks to file open requests on the share. Default: oplocks=yespath (S) Path of the directory users connected to the share are given access to. Default: path=readlist (S) List of the users that are allowed read-only access to the share. A user being in the list has precedence over readonly=no or it being in writelist. Default: readlist=readonly (S) Users are allowed read-only access to the share. With readonly=no, the effect is the same as with writable=yes. The parameter has precedence over writable, writeable, and writeok. Default: readonly=;yesrestrictanonymous (G) How to restrict connections to any share as the user given with guestaccount. With restrictanonymous=1 or restrictanonymous=2, disallow connections to the IPC$ share and any share that gives guestok=no. Default: restrictanonymous=0rootdirectory (G) Path of the directory prepended to path of every share. Somewhat similar to chroot(2). Default: rootdirectory=servermaxprotocol (G) Maximum protocol version supported. Default: servermaxprotocol=SMB3_11serverminprotocol (G) Minimum protocol version supported. Default: serverminprotocol=SMB2_10servermultichannelsupport (G) Use of SMB3 multi-channel is supported. SMB3 multi-channel support is experimental and may corrupt data under race conditions. Default: servermultichannelsupport=noserversigning (G) Client is allowed or required to use SMB2 signing. With serversigning=disabled or serversigning=auto, SMB2 signing is allowed if it is requested by the client. With serversigning=mandatory, SMB2 signing is required. Default: serversigning=disabledserverstring (G) String that will appear in browse lists next to the machine name. Default: serverstring=SMBSERVERshare:fake_fscaps (G) Decimal bitmask that gets bitwise ORed with the filesystem capability flags so as to fake them. With share:fake_fscaps=64, the FILE_SUPPORTS_SPARSE_FILES flag is set. Default: share:fake_fscaps=64smb2leases (G) Negotiate SMB2 leases on file open requests. Default: smb2leases=nosmb2maxcredits (G) Maximum number of outstanding simultaneous SMB2 operations. Number suffixes are allowed. Default: smb2maxcredits=8192smb2maxread (G) Maximum length that may be used in a SMB2 READ request sent by a client. Number suffixes are allowed. Default: smb2maxread=4MBsmb2maxtrans (G) Maximum buffer size that may be used by a client in a sent SET_INFO request or a received QUERY_INFO, QUERY_DIRECTORY, or CHANGE_NOTIFY response. Number suffixes are allowed. Default: smb2maxtrans=1MBsmb2maxwrite (G) Maximum length that may be used in a SMB2 WRITE request sent by a client. Number suffixes are allowed. Default: smb2maxwrite=4MBsmb3encryption (G) Client is disallowed, allowed, or required to use SMB3 encryption. With smb3encryption=disabled, SMB3 encryption is disallowed even if it is requested by the client. With smb3encryption=auto, SMB3 encryption is allowed if it is requested by the client. With smb3encryption=mandatory, SMB3 encryption is required, i.e. clients that do not support encryption will be denied access to all shares. Default: smb3encryption=autosmbdmaxiosize (G) Maximum read/write size of SMB-Direct. Number suffixes are allowed. Default: smbdmaxiosize=8MBstoredosattributes (S) Store DOS attributes using xattr and then use them in the DOS-to-UNIX-mapping of permissions. Default: storedosattributes=yestcpport (G) TCP port that is listened to. Default: tcpport=445validusers (S) List of the users that are allowed to connect to the share. With validusers= , all users are allowed. Default: validusers=vetofiles (S) Names of files and directories that are made invisible and inaccessible. Names are given between forward slashes (/), e.g. vetofiles=/foo/bar/ to make files and directories named foo and bar invisible and inaccessible. An asterisk (*) and a question mark (?) are used for matching any number of characters and a character, respectively. Default: vetofiles=vfsobjects (S) List of the VFS modules to overload I/O operations with. Available VFS modules are acl_xattr and streams_xattr. Default: vfsobjects=workgroup (G) Workgroup the server will appear to be in when queried by clients. Default: workgroup=WORKGROUPwritable (S) Users are allowed read-write access to the share. With writable=yes, the effect is the same as with readonly=no. The parameter has precedence over writeable, and writeok. Default: writable=writeable (S) Same effect as writable. The parameter has precedence over writeok. Default: writeable=writelist (S) List of the users that are allowed read-write access to the share. A user being in the list has precedence over readonly=yes. Default: writelist=writeok (S) Same effect as writable. Default: writeok=

For bug reports, use the issue tracker at https://github.com/cifsd-team/ksmbd-tools/issues.

Utilitiesksmbd.addshare(8), ksmbd.adduser(8), ksmbd.mountd(8) ksmbd-tools 3.5.3 KSMBD.CONF(5)

Each section name, except that of the global section, defines a shared resource, commonly referred to as a share. A section name, which is the share name, must be UTF-8, [1, 64) bytes, and is case-insensitive. Users that may be allowed to connect to a share are those that are present in ksmbdpwd.db(5) user database. A share may limit which users are allowed to connect to it. When connected to a share, the user is mapped to a system user and underlying filesystem permissions are enforced. By default, this mapping is done by name, but it may also be done by mapping all users connected to the share to a single system user and group. When connecting as a user not in the user database, only guest sessions may work.