[cifs-protocol] [REG:112053067163367] [MS-SMB2] handle based permission checks

Bryan Burgin bburgin at microsoft.com
Fri Oct 19 17:10:06 MDT 2012 

[Changed title to reference SMB2 instead of SMB1]


Volker,

Thank you for your patience.  We updated [MS-SMB2] sections 3.3.5.5   Receiving an SMB2 SESSION_SETUP Request and 3.3.5.5.3   Handling GSS-API Authentication with the text below.  It is different than how Windows  presently behaves, which is called out by a Windows behavior note.  We recommend that your code match the specification itself and not mimic Windows.  Future Windows versions will match the specification provided below and existing Windows versions may be updated to follow the specification.
Thank you for raising this issue to us.


3.3.5.5   Receiving an SMB2 SESSION_SETUP Request
[…]

6.  If Session.State is Expired, the server MUST set Session.SecurityContext to NULL, and process the session setup request as specified in section 3.3.5.5.2. Otherwise, proceed to step 7.

[…]

8.  If Session.State is Valid, the server MUST do the following:

• If Connection.Dialect is "2.002", the server MUST fail the session setup request with STATUS_REQUEST_NOT_ACCEPTED.

• Otherwise, the server MUST process the session setup request as specified in section 3.3.5.5.2.

3.3.5.5.2   Reauthenticating an Existing Session
Session.State MUST be set to InProgress. Authentication is continued as specified in section 3.3.5.5.3. Note that the existing Session.SessionKey will be retained.



3.3.5.5.3   Handling GSS-API Authentication



3.  If Session.SecurityContext is NULL, it MUST be set to a value representing the user which successfully authenticated this connection. The security context MUST be obtained from the GSS authentication subsystem. The server MUST invoke the GSS_Inquire_context call as specified in [RFC2743]<http://go.microsoft.com/fwlink/?LinkId=90378> section 2.2.6, passing the Session.SecurityContext as the input parameter, and set Session.UserName to the returned "src_name".

If Session.SecurityContext is not NULL, the server MUST invoke the GSS_Inquire_context call as specified in [RFC2743]<http://go.microsoft.com/fwlink/?LinkId=90378> section 2.2.6, passing the Session.SecurityContext as the input parameter. If the returned "src_name" does not match with the Session.Username, the server SHOULD <WBN> fail the request with error code STATUS_LOGON_FAILURE.

<WBN> Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 do not fail the request.



-----Original Message-----

From: Bryan Burgin

Sent: Friday, October 19, 2012 4:00 PM

To: "Volker.Lendecke at SerNet.DE" <Volker.Lendecke at SerNet.DE>

Cc: "MSSolve Case Email" <casemail at microsoft.com>; "cifs-protocol at cifs.org" <cifs-protocol at cifs.org>; "pfif at tridgell.net" <pfif at tridgell.net>

Subject: [REG:112053067163367] 112053067163367 handle based permission checks in SMB1?



Hello Volker,

                 Incident number for tracking the SMB2 question is 112053067163367.



Regards,

Sreekanth Nadendla

Microsoft Windows Open Specifications





-----Original Message-----

From: Sreekanth Nadendla

Sent: Tuesday, May 29, 2012 11:31 PM

To: Volker.Lendecke at SerNet.DE

Cc: MSSolve Case Email; cifs-protocol at cifs.org; pfif at tridgell.net

Subject: RE: 112050346749387 handle based permission checks in SMB1?



Hello Volker,

                    I will create a new incident for SMB2 and let you know the incident number tomorrow.



Regards,

Sreekanth

________________________________________

From: Volker Lendecke [Volker.Lendecke at SerNet.DE]

Sent: Thursday, May 24, 2012 11:10 PM

To: Sreekanth Nadendla

Cc: MSSolve Case Email; cifs-protocol at cifs.org; pfif at tridgell.net

Subject: Re: 112050346749387 handle based permission checks in SMB1?



On Thu, May 24, 2012 at 09:29:12PM +0000, Sreekanth Nadendla wrote:

> Hello Volker,

> Our product group is investigating this issue closely.  I will

provide

> you an update as soon as we conclude our review. Thank you for being

> patient.



Thanks for the update.



My question was confined to SMB1. We will need the same information

SMB2 in the future. Can you cover this in the same request, or should we open a new one?



With best regards,



Volker Lendecke



--

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen

phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816,

GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20121019/f10afa42/attachment.html>

More information about the cifs-protocol mailing list