cifs draft extensions: security negotiation and session setup
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Fri Jan 16 18:48:40 GMT 1998
hi,
attached is some draft extensions to the smb protocol. i said if i got
pissed enough i'd write some. please discuss them amongst yourselves:
i can only comment briefly at the moment.
http://mailhost.cb1.com/~lkcl/cifs-ext.txt
<a href="mailto:lkcl at switchboard.net" > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba Consultancy and Support </a>
CIFS Extensions
---------------
Author: Luke Kenneth Casson Leighton
Date : 16 Jan 98
This document describes cifs extensions for cifs over tcp, and for
parallel negotiation or re-negotiation of security for a SMB session.
Prior reading: - draft-leach-cifs-v1-spec-01.txt
sections 4.1.1, 4.1.2.2
- cifs6.txt
sections 4.1.1, 4.1.2 (NT LM 0.12)
the smb protocol needs to have independent messages for the communication
of related information. almost every stage should involve negotiation.
such as:
- what is talking to what (machines, transport, ports -> referral or connection)
- protocols
- smb level (list of SMB protocols -> protocol to use)
- client and server capabilities
- encryption (snego -> kerberos etc)
- who (user context info) is talking to who/what
- what the user wants to access on the server.
these are covered at present by:
- NetBIOS session setup (machines, transport, port -> referral or connection)
- SMBnegprot
- smb level (list of smb protocols -> index of protocol to use)
- client capabilities and server capabilities, including
SMB_EXTENDED_SECURITY
- SMBsesssetupX (the draft one not the cifs6.txt one)
- user context info (username/password/domain)
- encryption (security blobs -> return security blobs, repeat)
only possible if SMB_EXTENDED_SECURITY is "SMB-negotiated".
- SMBtconX
- share name, share password.
- SMBtdis (opposite of SMBtcon)
- SMBulogoff (opposite of SMBsessetup)
however, as has been pointed out, and as can be seen, client/server
capabilities are tied to the smb level negotiation, and encryption
tied in with the user context info. also, microsoft intend to _drop_
the NetBIOS session setup, leaving no means to identify the client
or server.
the following is proposed, to deal with this:
- SMBsessionreq (machines, transport, ports -> referral or connection)
- SMBnegcaps (client and server capabilities)
- SMBnegprot2 (list of SMB protocols -> protocol to use)
- SMBnegsec (security blob id info.)
- SMBsecuritysetup (security blob client/server sequence)
- SMBsesssetup (user context info - username, password, domain)
*this is the cifs6.txt SMBsesssetup _not_ the new draft one*
- SMBtconX (share name, share password).
- SMBtdis (opposite of tcon)
- SMBulogoff (opposite of sessetup)
sequence of SMBs, and conditions on their use
---------------------------------------------
SMBnegprot2 and SMBnegcaps must come between SMB session request and
SMB session setup 2.
SMBnegsec is optional, but must come after the SMBnegcaps, and only
if SMB_EXTENDED_SECURITY is a successfully negotiated capability.
a SMBsecuritysetup challenge/response sequence must then follow.
SMBnegcrypto followed by SMBsecuritysetup(s) can be sent more than once.
the negotiated encryption will apply or reapply to the *whole* session.
SMB security negotiation can happen in parallel with SMB sessions.
However, it is advised that clients should wait until the successful
completion of the first security negotiation stages before starting
SMB session setups and SMBtcons, as the server is likely to reject
them with SECURITY_NEGOTIATION_REQUIRED SMB errors (0xC000nnnn, where
nnnn is to be allocated).
The client should be prepared to have to negotiate or re-negotiate
security at *any* time if it supports SMB_EXTENDED_SECURITY
capabilities, and to immediately start using the negotiated or
re-negotiated security on all SMBs in the session.
The server should be capable of indicating to the client that
the security level is insufficient or has expired, with a
SECURITY_NEGOTIATION_REQUIRED SMB error on all SMB requests
except SMBsecneg, *without* closing any files, disconnecting
any shares or closing the session.
SMB_SESSION_REQUEST
-------------------
Client Request Description
============================== =====================================
UCHAR WordCount; Count of parameter words = 12
UCHAR AndXCommand; Secondary (X) command; 0xFF = none
UCHAR AndXReserved; Reserved (must be 0)
USHORT AndXOffset; Offset to next command WordCount
CLIENT_UNC_NAME_LEN
CLIENT_UNC_VERSION_LEN
SERVER_UNC_NAME_LEN
REFERRING_SERVER_UNC_NAME_LEN
CLIENT_UNC_NAME[]
CLIENT_VERSION[]
SERVER_UNC_NAME[]
REFERRING_SERVER_UNC_NAME[]
if a name length is zero, the string it refers to is skipped
altogether. client name and server name in the request are not
optional. referring server name is not optional if a server
has referred the client from another server in a previous SMB
session request.
the client unc version string contains context-sensitive or OEM
information ("Client for Microsoft Networks - Windows NT 4.0 Build 1381"
or "smbclient-1.9.18p1" or "Thursby's DAVE 1.0.1 Macintosh Client").
the client and server unc names can be "nbt://callingname#00:139" and
"nbt://calledname#20:139" to support backwards compatibility with the
old netbios format, for applications that require netbios names.
the referring server unc name is the name of the server that referred
the client to this new server, causing the client to make this second
SMB session request.
a referred SMB session request cannot be re-referred to yet another
SMB server.
The response is:
Server Response Description
================================== =================================
UCHAR WordCount; Count of parameter words = 3
UCHAR AndXCommand; Secondary (X) command; 0xFF =
none
UCHAR AndXReserved; Reserved (must be 0)
USHORT AndXOffset; Offset to next command WordCount
SERVER_UNC_NAME_LEN
SERVER_VERSION_LEN
ERROR_CODE_STRING_LEN
SERVER_UNC_REFERRAL_NAME_LEN
SERVER_UNC_NAME[]
SERVER_VERSION[]
ERROR_CODE_STRING[]
SERVER_UNC_REFERRAL_NAME[]
if a name length is zero, the string it refers to is skipped
altogether. server name in the response is not optional.
the server version info may contain context-sensitive or OEM information,
e.g "Microsoft Windows NT 4.0 Build 1381 CIFS Server" or
"samba-1.9.18p1 root-config-file:/usr/local/samba/lib/smb.conf.%U.%m"
or "Thursby's Macintosh SMB Server DAVE 2.0"
the server unc referral name is optional, and should be accompanied by
a SMB_SESSION_REFERRAL warning (0x8000nnnn - nnnn to be arranged) and
an optional verbose error string (for debugging / user informational
purposes) of "SMB session is being referred to another server / protocol /
port number".
the client should then issue a new SMB session request using the protocol
specified in the unc, to the server specified in the unc, on the port
number specified in the unc. regardless of whether the client is
capable of doing this, it must drop the TCP connection (and so will the
server).
the server cannot issue an SMB session referral to a client that has
already been referred: it must reject the session. a mechanism for
the server to then complain to the referrer is yet to be decided.
SMB_NEGOTIATE_SECURITY
----------------------
Client Request Description
============================== =====================================
UCHAR WordCount; Count of parameter words = 12
UCHAR AndXCommand; Secondary (X) command; 0xFF = none
UCHAR AndXReserved; Reserved (must be 0)
USHORT AndXOffset; Offset to next command WordCount
UCHAR SecurityBlobLength; Length of SecurityBlob
USHORT ByteCount; Count of data bytes
UCHAR GUID[16] A globally unique identifier assigned with the
client.
UCHAR SecurityBlob[] Opaque Security Blob associated with the
security package.
The response is:
Server Response Description
================================== =================================
UCHAR WordCount; Count of parameter words = 3
UCHAR AndXCommand; Secondary (X) command; 0xFF =
none
UCHAR AndXReserved; Reserved (must be 0)
USHORT AndXOffset; Offset to next command WordCount
UCHAR SecurityBlobLength; Length of SecurityBlob
USHORT ByteCount; Count of data bytes
UCHAR GUID[16] A globally unique identifier assigned
to the server.
UCHAR SecurityBlob[] Opaque Security Blob associated with the
security package.
SMB_SECURITY_SETUP_ANDX
-----------------------
Client Request Description
============================== =====================================
UCHAR WordCount; Count of parameter words = 12
UCHAR AndXCommand; Secondary (X) command; 0xFF = none
UCHAR AndXReserved; Reserved (must be 0)
USHORT AndXOffset; Offset to next command WordCount
USHORT SecurityBlobLength; Length of opaque security blob
ULONG Reserved; must be 0
USHORT ByteCount; Count of data bytes; min = 0
UCHAR SecurityBlob[] The opaque security blob
The response is:
Server Response Description
================================== =================================
UCHAR WordCount; Count of parameter words = 3
UCHAR AndXCommand; Secondary (X) command; 0xFF =
none
UCHAR AndXReserved; Reserved (must be 0)
USHORT AndXOffset; Offset to next command WordCount
USHORT SecurityBlobLength length of Security Blob that
follows in a later field
USHORT ByteCount; Count of data bytes
UCHAR SecurityBlob[] SecurityBlob of length specified
in field SecurityBlobLength
There may be multiple round trips involved in the security blob
exchange. In that case, the server may return an error
STATUS_MORE_PROCESSING_REQUIRED (a value of 0xC0000016) in the SMB
status. The client can then repeat the SecuritySetupAndX SMB with the
next the security blob.
More information about the samba
mailing list