alternate form of tconX response

Steven French sfrench at
Thu Aug 15 13:18:00 GMT 2002

In the course of our recent poking around ntlmssp we discovered (or
rediscovered perhaps) that the tconX response from Windows 2k (or XP) to
Windows 2k has a wct of 7 not 3 as Samba and everyone else understands.
Turns out that this is controlled by whether the client sets the tcon flags
in the request to 0x0008 (the only flag bit that is documented is 0x0001
which means "disconnect tid").   I confirmed this by forcing the Linux cifs
vfs to set this tconX flag bit.   The two extra DWORDs that are being
returned by Windows on the tconX response relate to access control (similar
looking to access flags) - a common default is 0x001f01ff (twice).
Changing the permissions on the root of the share causes these bits to
change in interesting ways but we haven't quite put the puzzle together.
Any ideas as to exactly why two access control dwords? and how to prove
that they represent the access_flags we think that they do?  (the windows
gui makes it tricky to set the bits granular enough to figure out how they
map to these flag bits - it oversimplifies)

Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at

More information about the samba-technical mailing list