1 .. SPDX-License-Identifier: GPL-2.0
3 ==========================
4 KSMBD - SMB3 Kernel Server
5 ==========================
7 KSMBD is a linux kernel server which implements SMB3 protocol in kernel space
8 for sharing files over network.
13 The subset of performance related operations belong in kernelspace and
14 the other subset which belong to operations which are not really related with
15 performance in userspace. So, DCE/RPC management that has historically resulted
16 into number of buffer overflow issues and dangerous security bugs and user
17 account management are implemented in user space as ksmbd.mountd.
18 File operations that are related with performance (open/read/write/close etc.)
19 in kernel space (ksmbd). This also allows for easier integration with VFS
20 interface for all file operations.
25 When the server daemon is started, It starts up a forker thread
26 (ksmbd/interface name) at initialization time and open a dedicated port 445
27 for listening to SMB requests. Whenever new clients make request, Forker
28 thread will accept the client connection and fork a new thread for dedicated
29 communication channel between the client and the server. It allows for parallel
30 processing of SMB requests(commands) from clients as well as allowing for new
31 clients to make new connections. Each instance is named ksmbd/1~n(port number)
32 to indicate connected clients. Depending on the SMB request types, each new
33 thread can decide to pass through the commands to the user space (ksmbd.mountd),
34 currently DCE/RPC commands are identified to be handled through the user space.
35 To further utilize the linux kernel, it has been chosen to process the commands
36 as workitems and to be executed in the handlers of the ksmbd-io kworker threads.
37 It allows for multiplexing of the handlers as the kernel take care of initiating
38 extra worker threads if the load is increased and vice versa, if the load is
39 decreased it destroys the extra worker threads. So, after connection is
40 established with client. Dedicated ksmbd/1..n(port number) takes complete
41 ownership of receiving/parsing of SMB commands. Each received command is worked
42 in parallel i.e., There can be multiple clients commands which are worked in
43 parallel. After receiving each command a separated kernel workitem is prepared
44 for each command which is further queued to be handled by ksmbd-io kworkers.
45 So, each SMB workitem is queued to the kworkers. This allows the benefit of load
46 sharing to be managed optimally by the default kernel and optimizing client
47 performance by handling client commands in parallel.
49 ksmbd.mountd (user space daemon)
50 --------------------------------
52 ksmbd.mountd is userspace process to, transfer user account and password that
53 are registered using ksmbd.adduser(part of utils for user space). Further it
54 allows sharing information parameters that parsed from smb.conf to ksmbd in
55 kernel. For the execution part it has a daemon which is continuously running
56 and connected to the kernel interface using netlink socket, it waits for the
57 requests(dcerpc and share/user info). It handles RPC calls (at a minimum few
58 dozen) that are most important for file server from NetShareEnum and
59 NetServerGetInfo. Complete DCE/RPC response is prepared from the user space
60 and passed over to the associated kernel thread for the client.
66 ============================== =================================================
68 ============================== =================================================
69 Dialects Supported. SMB2.1 SMB3.0, SMB3.1.1 dialects
70 (intentionally excludes security vulnerable SMB1
72 Auto Negotiation Supported.
73 Compound Request Supported.
74 Oplock Cache Mechanism Supported.
75 SMB2 leases(v1 lease) Supported.
76 Directory leases(v2 lease) Planned for future.
77 Multi-credits Supported.
78 NTLM/NTLMv2 Supported.
79 HMAC-SHA256 Signing Supported.
80 Secure negotiate Supported.
81 Signing Update Supported.
82 Pre-authentication integrity Supported.
83 SMB3 encryption(CCM, GCM) Supported. (CCM and GCM128 supported, GCM256 in
85 SMB direct(RDMA) Partially Supported. SMB3 Multi-channel is
86 required to connect to Windows client.
87 SMB3 Multi-channel Partially Supported. Planned to implement
88 replay/retry mechanisms for future.
89 SMB3.1.1 POSIX extension Supported.
90 ACLs Partially Supported. only DACLs available, SACLs
91 (auditing) is planned for the future. For
92 ownership (SIDs) ksmbd generates random subauth
93 values(then store it to disk) and use uid/gid
94 get from inode as RID for local domain SID.
95 The current acl implementation is limited to
96 standalone server, not a domain member.
97 Integration with Samba tools is being worked on
98 to allow future support for running as a domain
101 Durable handle v1,v2 Planned for future.
102 Persistent handle Planned for future.
103 SMB2 notify Planned for future.
104 Sparse file support Supported.
105 DCE/RPC support Partially Supported. a few calls(NetShareEnumAll,
106 NetServerGetInfo, SAMR, LSARPC) that are needed
107 for file server handled via netlink interface
108 from ksmbd.mountd. Additional integration with
109 Samba tools and libraries via upcall is being
110 investigated to allow support for additional
111 DCE/RPC management calls (and future support
112 for Witness protocol e.g.)
113 ksmbd/nfsd interoperability Planned for future. The features that ksmbd
114 support are Leases, Notify, ACLs and Share modes.
115 ============================== =================================================
121 1. Download ksmbd-tools and compile them.
122 - https://github.com/cifsd-team/ksmbd-tools
124 2. Create user/password for SMB share.
127 # ksmbd.adduser -a <Enter USERNAME for SMB share access>
129 3. Create /etc/ksmbd/smb.conf file, add SMB share in smb.conf file
130 - Refer smb.conf.example and
131 https://github.com/cifsd-team/ksmbd-tools/blob/master/Documentation/configuration.txt
133 4. Insert ksmbd.ko module
137 5. Start ksmbd user space daemon
140 6. Access share from Windows or Linux using CIFS
145 1. kill user and kernel space daemon
146 # sudo ksmbd.control -s
148 How to turn debug print on
149 ==========================
152 /sys/class/ksmbd-control/debug
154 1. Enable all component prints
155 # sudo ksmbd.control -d "all"
157 2. Enable one of components(smb, auth, vfs, oplock, ipc, conn, rdma)
158 # sudo ksmbd.control -d "smb"
160 3. Show what prints are enable.
161 # cat/sys/class/ksmbd-control/debug
162 [smb] auth vfs oplock ipc conn [rdma]
165 If you try the selected component once more, It is disabled without brackets.