[cifs-protocol] NTCreateAndX with DesiredAccess of 0

James Peach jpeach at apple.com
Mon May 24 22:07:45 MDT 2010

Hi all,

In MS-FSA, the initial parameter validation says that the operation MUST be failed with STATUS_INVALID_PARAMETER if DesiredAccess is zero. This may be true from the perspective of the object store, but it's not correct from the perspective of the SMB client.

The Mac OS X client implements the access(2) system call[*] by sending a SMB_COM_NT_CREATE_ANDX request with a DesiredAccess mask of zero. This causes the server to open a file handle with no access rights, but the SMB_COM_NT_CREATE_ANDX response returns the MaximalAccess which is what the client actually needs. This works with all the Windows versions that we have tested with. I believe that it works because the Windows SMB server implicitly opens the file with a non-zero DesiredAccess mask in order to obtain the necessary information for the SMB_COM_NT_CREATE_ANDX response. Note that providing any value for DesiredAccess might cause the request to fail with STATUS_ACCESS_DENIED, which will not provide the desired functionality.

I'm not sure whether MS-FSA should be updated, but it currently does not describe observable Windows behaviour in this regard.


[*] <http://www.opengroup.org/onlinepubs/009695399/functions/access.html>

More information about the cifs-protocol mailing list