[cifs-protocol] NTCreateAndX with DesiredAccess of 0

James Peach jpeach at apple.com
Tue May 25 10:14:49 MDT 2010

On May 24, 2010, at 9:55 PM, Christopher R. Hertel wrote:

> James, et. al.,
> There is a Windows Behavior Note associated with [MS-CIFS] section
> that states:
> * DesiredAccess is the SMB_Parameters.Words.DesiredAccess field of the
>  request.  The FILE_COMPLETE_IF_OPLOCKED option is added (using a
>  bitwise OR) to the set provided by the client.  If the
>  FILE_NO_INTERMEDIATE_BUFFERING flag is set, it is cleared and

I don't have this note in my copy of MS-CIFS (04/23/2010 revision 6.0) 

> So, at minimum:
> * We know, from James' description, that the SMB server does not check
>  for (DesiredAccess == 0) and return an error itself.
> * The SMB server sets the FILE_COMPLETE_IF_OPLOCKED before passing the
>  DesiredAccess field to the FSA layer.
> That (at a minimum) is why DesiredAccess is non-zero by the time it gets to
> the OS call that would return STATUS_INVALID_PARAMETER.

It doesn't *sound* like FILE_COMPLETE_IF_OPLOCKED would make the DesiredAccess non-zero. What am I missing here?

> Chris -)-----
> James Peach wrote:
>> Hi all,
>> In MS-FSA, the initial parameter validation says that the operation MUST be failed with STATUS_INVALID_PARAMETER if DesiredAccess is zero. This may be true from the perspective of the object store, but it's not correct from the perspective of the SMB client.
>> The Mac OS X client implements the access(2) system call[*] by sending a SMB_COM_NT_CREATE_ANDX request with a DesiredAccess mask of zero. This causes the server to open a file handle with no access rights, but the SMB_COM_NT_CREATE_ANDX response returns the MaximalAccess which is what the client actually needs. This works with all the Windows versions that we have tested with. I believe that it works because the Windows SMB server implicitly opens the file with a non-zero DesiredAccess mask in order to obtain the necessary information for the SMB_COM_NT_CREATE_ANDX response. Note that providing any value for DesiredAccess might cause the request to fail with STATUS_ACCESS_DENIED, which will not provide the desired functionality.
>> I'm not sure whether MS-FSA should be updated, but it currently does not describe observable Windows behaviour in this regard.
>> cheers,
>> James
>> [*] <http://www.opengroup.org/onlinepubs/009695399/functions/access.html>
>> _______________________________________________
>> cifs-protocol mailing list
>> cifs-protocol at cifs.org
>> https://lists.samba.org/mailman/listinfo/cifs-protocol
> -- 
> Christopher R. Hertel -)-----             Storage Architect & CIFS Geek
> http://www.ubiqx.com/               Data Storage and Systems Consulting
> "Implementing CIFS - the Common Internet FileSystem"   ISBN: 013047116X

More information about the cifs-protocol mailing list