[cifs-protocol] Check IS_ANONYMOUS in W8 2008 R2 on SMB2 (and SMB1) to see why bit isn't set to TRUE
Obaid Farooqi
obaidf at microsoft.com
Wed May 23 15:46:32 MDT 2012
Hi Metze:
We have finished our investigation on your question regarding anonymous user and session flag SMB2_SESSION_FLAG_IS_NULL. An upcoming release of MS-SMB2 will have the following modifications. I am also attaching a PDF version of the changes that uses color and strikethrough to highlight the changes.
Section "3.2.5.3.1 Handling a New Authentication"
--------------------------------------------------------------
Existing text:
"
o If the SMB2_SESSION_FLAG_IS_NULL bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response, Session.SigningRequired MUST be set to FALSE.
o If the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response AND if Session.SigningRequired is TRUE, this indicates a SESSION_SETUP failure and the connection MUST be terminated.
"
Modified text:
"
o If the security subsystem indicates that the session was established by an anonymous user, Session.SigningRequired MUST be set to FALSE.
o If the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response AND if Session.SigningRequired is TRUE, this indicates a SESSION_SETUP failure and the connection MUST be terminated. If the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response AND if RequireMessageSigning is FALSE, Session.SigningRequired MUST be set to FALSE.
Section "3.3.5.5.3 Handling GSS-API Authentication"
----------------------------------------------------------------
Existing text:
"
4. The server MUST invoke the GSS_Inquire_context call as specified in [RFC2743] section 2.2.6,
passing the Session.SecurityContext as the context_handle parameter.
If the returned anon_state is TRUE, the server MUST set Session.IsAnonymous to TRUE and
set the SMB2_SESSION_FLAG_IS_NULL flag in the SessionFlags field of the SMB2
SESSION_SETUP Response.
Otherwise, if the returned src_name corresponds to an implementation-specific guest
user,<201> the server MUST set the SMB2_SESSION_FLAG_IS_GUEST in the SessionFlags
field of the SMB2 SESSION_SETUP Response and MUST set Session.IsGuest to TRUE.
5. If either SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL was set in the
SessionFlags, then Session.SigningRequired MUST be set to FALSE. Otherwise, if the
SecurityMode of the client request has the SMB2_NEGOTIATE_SIGNING_REQUIRED bit set, if
Connection.ShouldSign is set to TRUE, OR the global RequireMessageSigning is set to TRUE,
Session.SigningRequired MUST be set to TRUE.
"
Modified text:
"
4. The server MUST invoke the GSS_Inquire_context call as specified in [RFC2743] section 2.2.6, passing the Session.SecurityContext as the context_handle parameter.
If the returned anon_state is TRUE, the server MUST set Session.IsAnonymous to TRUE and the server MAY set the SMB2_SESSION_FLAG_IS_NULL flag in the SessionFlags field of the SMB2 SESSION_SETUP Response.
Otherwise, if the returned src_name corresponds to an implementation-specific guest user,<201> the server MUST set the SMB2_SESSION_FLAG_IS_GUEST in the SessionFlags field of the SMB2 SESSION_SETUP Response and MUST set Session.IsGuest to TRUE.
5. Session.SigningRequired MUST be set to TRUE under the following conditions:
o SMB2_NEGOTIATE_SIGNING_REQUIRED bit is set in the SecurityMode field of the client request
o SMB2_SESSION_FLAG_IS_GUEST is not set in the SessionFlags and Session.IsAnonymous is FALSE and either
Connection.ShouldSign or global RequireMessageSigning is TRUE
"
Please let me know if it does not answer your question.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
From: Obaid Farooqi
Sent: Tuesday, May 15, 2012 5:09 PM
To: 'Stefan (metze) Metzmacher' (metze at samba.org)
Cc: MSSolve Case Email
Subject: Check IS_ANONYMOUS in W8 2008 R2 on SMB2 (and SMB1) to see why bit isn't set to TRUE
Hi Metze:
I'll help you with this issue and will be in touch as soon as I have an answer.
Can you please send me a network trace exhibiting this behavior?
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20120523/57a670ba/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: forMetze.pdf
Type: application/pdf
Size: 191633 bytes
Desc: forMetze.pdf
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20120523/57a670ba/attachment-0001.pdf>
More information about the cifs-protocol
mailing list