[cifs-protocol] Check IS_ANONYMOUS in W8 2008 R2 on SMB2 (and SMB1) to see why bit isn't set to TRUE

Obaid Farooqi obaidf at microsoft.com
Wed May 23 15:46:32 MDT 2012


Hi Metze:
We have finished our investigation on your question regarding anonymous user and session flag SMB2_SESSION_FLAG_IS_NULL. An upcoming release of MS-SMB2 will have the following modifications. I am also attaching a PDF version of the changes that uses color and strikethrough to highlight the changes.

Section "3.2.5.3.1   Handling a New Authentication"
--------------------------------------------------------------

Existing text:
"
o             If the SMB2_SESSION_FLAG_IS_NULL bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response, Session.SigningRequired MUST be set to FALSE.
o             If the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response AND if Session.SigningRequired is TRUE, this indicates a SESSION_SETUP failure and the connection MUST be terminated.
"

Modified text:
"
o             If the security subsystem indicates that the session was established by an anonymous user, Session.SigningRequired MUST be set to FALSE.

o             If the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response AND if Session.SigningRequired is TRUE, this indicates a SESSION_SETUP failure and the connection MUST be terminated. If the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response AND if  RequireMessageSigning is FALSE, Session.SigningRequired MUST be set to FALSE.


Section "3.3.5.5.3   Handling GSS-API Authentication"
----------------------------------------------------------------
Existing text:

"
4.            The server MUST invoke the GSS_Inquire_context call as specified in [RFC2743] section 2.2.6,
passing the Session.SecurityContext as the context_handle parameter.

If the returned anon_state is TRUE, the server MUST set Session.IsAnonymous to TRUE and
set the SMB2_SESSION_FLAG_IS_NULL flag in the SessionFlags field of the SMB2
SESSION_SETUP Response.

Otherwise, if the returned src_name corresponds to an implementation-specific guest
user,<201> the server MUST set the SMB2_SESSION_FLAG_IS_GUEST in the SessionFlags
field of the SMB2 SESSION_SETUP Response and MUST set Session.IsGuest to TRUE.

5.            If either SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL was set in the
SessionFlags, then Session.SigningRequired MUST be set to FALSE. Otherwise, if the
SecurityMode of the client request has the SMB2_NEGOTIATE_SIGNING_REQUIRED bit set, if
Connection.ShouldSign is set to TRUE, OR the global RequireMessageSigning is set to TRUE,
Session.SigningRequired MUST be set to TRUE.
"

Modified text:

"
4.  The server MUST invoke the GSS_Inquire_context call as specified in [RFC2743] section 2.2.6, passing the Session.SecurityContext as the context_handle parameter.
If the returned anon_state is TRUE, the server MUST set Session.IsAnonymous to TRUE and the server MAY set the SMB2_SESSION_FLAG_IS_NULL flag in the SessionFlags field of the SMB2 SESSION_SETUP Response.
Otherwise, if the returned src_name corresponds to an implementation-specific guest user,<201> the server MUST set the SMB2_SESSION_FLAG_IS_GUEST in the SessionFlags field of the SMB2 SESSION_SETUP Response and MUST set Session.IsGuest to TRUE.

5. Session.SigningRequired MUST be set to TRUE under the following conditions:
o             SMB2_NEGOTIATE_SIGNING_REQUIRED bit is set in the SecurityMode field of the client request
o             SMB2_SESSION_FLAG_IS_GUEST is not set in the SessionFlags and Session.IsAnonymous is FALSE and either
Connection.ShouldSign or global RequireMessageSigning is TRUE
"

Please let me know if it does not answer your question.


Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

From: Obaid Farooqi
Sent: Tuesday, May 15, 2012 5:09 PM
To: 'Stefan (metze) Metzmacher' (metze at samba.org)
Cc: MSSolve Case Email
Subject: Check IS_ANONYMOUS in W8 2008 R2 on SMB2 (and SMB1) to see why bit isn't set to TRUE

Hi Metze:
I'll help you with this issue and will be in touch as soon as I have an answer.

Can you please send me a network trace exhibiting this behavior?

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20120523/57a670ba/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: forMetze.pdf
Type: application/pdf
Size: 191633 bytes
Desc: forMetze.pdf
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20120523/57a670ba/attachment-0001.pdf>


More information about the cifs-protocol mailing list