Export (0) Print
Expand All

4.1 Connecting to a Share by Using a Multi-Protocol Negotiate

The following diagram shows the steps taken by a client that is negotiating SMB2 by using an SMB-style negotiate.

032bcec2-4e98-4d39-8f69-627c1db10ba1

Figure 6: Client negotiating SMB2 with SMB-style negotiate

  1. The client sends an SMB negotiate packet with the string "SMB 2.002" in the dialect string list, along with the other SMB dialects the client implements.

    Smb: C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
    Protocol: SMB
    Command: Negotiate 114(0x72)
    SMBHeader: Command, TID: 0xFFFF, PID: 0xFEFF, UID: 0x0000, MID: 0x0000
    Flags: 24 (0x18)
    Bit0: (.......0) SMB_FLAGS_LOCK_AND_READ_OK: LOCK_AND_READ and WRITE_AND_CLOSE not supported (obsoleted)
    Bit1: (......0.) SMB_FLAGS_SEND_NO_ACK [not implemented]
    Bit2: (.....0..) Reserved (must be zero)
    Bit3: (....1...) SMB_FLAGS_CASE_INSENSITIVE: SMB paths are case-insensitive
    Bit4: (...1....) SMB_FLAGS_CANONICALIZED_PATHS: Canonicalized File and pathnames (obsoleted)
    Bit5: (..0.....) SMB_FLAGS_OPLOCK: No Oplocks supported for OPEN, CREATE & CREATE_NEW (obsoleted)
    Bit6: (.0......) SMB_FLAGS_OPLOCK_NOTIFY_ANY: No Notifications supported for OPEN, CREATE & CREATE_NEW (obsoleted)
    Bit7: (0.......) SMB_FLAGS_SERVER_TO_REDIR: Command - SMB is being sent from the client
    Flags2: 51283 (0xC853)
    Bit00: (...............1) SMB_FLAGS2_KNOWS_LONG_NAMES: May return long file names
    Bit01: (..............1.) SMB_FLAGS2_KNOWS_EAS: Understands extended attributes
    Bit02: (.............0..) SMB_FLAGS2_SMB_SECURITY_SIGNATURE: Not security signature-enabled
    Bit03: (............0...) Reserved
    Bit04: (...........1....) Reserved
    Bit05: (..........0.....) SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED: SMB packets must be signed
    Bit06: (.........1......) SMB_FLAGS2_IS_LONG_NAME: Any path name in the request is a long name
    Bit07: (........0.......) Reserved
    Bit08: (.......0........) Reserved
    Bit09: (......0.........) Reserved
    Bit10: (.....0..........) SMB_FLAGS2_REPARSE_PATH: Not requesting Reparse path
    Bit11: (....1...........) SMB_FLAGS2_EXTENDED_SECURITY: Aware of extended security
    Bit12: (...0............) SMB_FLAGS2_DFS: No DFS namespace
    Bit13: (..0.............) SMB_FLAGS2_PAGING_IO: Read operation will NOT be permitted if has no read permission
    Bit14: (.1..............) SMB_FLAGS2_NT_STATUS: Using 32-bit NT status error codes
    Bit15: (1...............) SMB_FLAGS2_UNICODE: Using UNICODE strings
    PIDHigh: 0 (0x0)
    SecuritySignature: 0x0
    Reserved: 0 (0x0)
    TreeID: 65535 (0xFFFF)
    Reserved: 0 (0x0)
    UserID: 0 (0x0)
    MultiplexID: 0 (0x0)
    CNegotiate: 
    WordCount: 0 (0x0)
    ByteCount: 109 (0x6D)
    Dialect: PC NETWORK PROGRAM 1.0
    BufferFormat: Dialect 2(0x2)
    DialectName: PC NETWORK PROGRAM 1.0
    Dialect: LANMAN1.0
    BufferFormat: Dialect 2(0x2)
    DialectName: LANMAN1.0
    Dialect: Windows for Workgroups 3.1a
    BufferFormat: Dialect 2(0x2)
    DialectName: Windows for Workgroups 3.1a
    Dialect: LM1.2X002
    BufferFormat: Dialect 2(0x2)
    DialectName: LM1.2X002
    Dialect: LANMAN2.1
    BufferFormat: Dialect 2(0x2)
    DialectName: LANMAN2.1
    Dialect: NT LM 0.12
    BufferFormat: Dialect 2(0x2)
    DialectName: NT LM 0.12
    Dialect: SMB 2.002
    BufferFormat: Dialect 2(0x2)
    DialectName: SMB 2.002
    
    
    
  2. The server receives the SMB negotiate request and finds dialect "SMB 2.002". The server responds with an SMB2 negotiate.

    Smb2: R NEGOTIATE
    SMB2Header: 
    Size: 64 (0x40)
    CreditCharge: 0 (0x0)
    Status: STATUS_SUCCESS
    Command: NEGOTIATE
    Credits: 1 (0x1)
    Flags: 1 (0x1)
    ServerToRedir: ...............................1  Server to Client
    AsyncCommand:  ..............................0.  Command is not asynchronous
    Related:       .............................0..  Packet is single message
    Signed:        ............................0...  Packet is not signed
    Reserved: 0 (0x0)
    DFS:           0...............................  Command is not a DFS Operation
    NextCommand: 0 (0x0)
    MessageId: 0 (0x0)
    Reserved: 0 (0x0)
    TreeId: 0 (0x0)
    SessionId: 0 (0x0)
    RNegotiate: 
    Size: 65 (0x41)
    SecurityMode: Signing Enabled
    DialectRevision: 0x0202
    Reserved: 0 (0x0)
    Guid: {3F5CF209-A4E5-0049-A7D6-6A456D5CA5CF}
    Capabilities: 1 (0x1)
    DFS:           ...............................1  DFS available
    MaxTransactSize: 65536 (0x10000)
    MaxReadSize: 65536 (0x10000)
    MaxWriteSize: 65536 (0x10000)
    SystemTime: 127972992061679232 (0x1C6A6C21CAE2680)
    ServerStartTime: 127972985895467232 (0x1C6A6C0AD2538E0)
    SecurityBufferOffset: 128 (0x80)
    SecurityBufferLength: 30 (0x1E)
    Reserved2: 0 (0x0)
    Buffer:
    
    
  3. The client queries GSS for the authentication token and sends an SMB2 SESSION_SETUP Request with the output token received from GSS.

    Smb2: C SESSION SETUP
    Smb2: C SESSION SETUP
    SMB2Header: 
    Size: 64 (0x40)
    CreditCharge: 0 (0x0)
    Status: STATUS_SUCCESS
    Command: SESSION SETUP
    Credits: 126 (0x7E)
    Flags: 0 (0x0)
    ServerToRedir: ...............................0  Client to Server
    AsyncCommand:  ..............................0.  Command is not asynchronous
    Related:       .............................0..  Packet is single message
    Signed:        ............................0...  Packet is not signed
    Reserved: 0 (0x0)
    DFS:           0...............................  Command is not a DFS Operation
    NextCommand: 0 (0x0)
    MessageId: 1 (0x1)
    Reserved: 0 (0x0)
    TreeId: 0 (0x0)
    SessionId: 0 (0x0)
    CSessionSetup: 
    Size: 25 (0x19)
    VcNumber: 0 (0x0)
    SecurityMode: Signing Enabled
    Capabilities: 1 (0x1)
    DFS:            ...............................1 DFS available
    Channel: 0 (0x0)
    SecurityBufferOffset: 88 (0x58)
    SecurityBufferLength: 74 (0x4A)
    Buffer: (74 bytes)
    
    
  4. The server processes the token received with GSS and gets a return code indicating a subsequent round trip is required. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_MORE_PROCESSING_REQUIRED and the response containing the output token from GSS.

    Smb2: R SESSION SETUP (Status=STATUS_MORE_PROCESSING_REQUIRED)
    Smb2: R SESSION SETUP (Status=STATUS_MORE_PROCESSING_REQUIRED)
    SMB2Header: 
    Size: 64 (0x40)
    CreditCharge: 0 (0x0)
    Status: STATUS_MORE_PROCESSING_REQUIRED
    Command: SESSION SETUP
    Credits: 2 (0x2)
    Flags: 1 (0x1)
    ServerToRedir: ...............................1  Server to Client
    AsyncCommand:  ..............................0.  Command is not asynchronous
    Related:       .............................0..  Packet is single message
    Signed:        ............................0...  Packet is not signed
    Reserved: 0 (0x0)
    DFS:           0...............................  Command is not a DFS Operation
    NextCommand: 0 (0x0)
    MessageId: 1 (0x1)
    Reserved: 0 (0x0)
    TreeId: 0 (0x0)
    SessionId: 4398046511113 (0x40000000009)
    RSessionSetup: 
    Size: 9 (0x9)
    SessionFlags: Normal session
    SecurityBufferOffset: 72 (0x48)
    SecurityBufferLength: 219 (0xDB)
    Buffer: (219 bytes)
    
    
  5. The client processes the received token with GSS and sends an SMB2 SESSION_SETUP Request with the output token received from GSS and the SessionId received on the previous response.

    Smb2: C SESSION SETUP
    Smb2: C SESSION SETUP
    SMB2Header: 
    Size: 64 (0x40)
    CreditCharge: 0 (0x0)
    Status: STATUS_SUCCESS
    Command: SESSION SETUP
    Credits: 125 (0x7D)
    Flags: 0 (0x0)
    ServerToRedir: ...............................0  Client to Server
    AsyncCommand:  ..............................0.  Command is not asynchronous
    Related:       .............................0..  Packet is single message
    Signed:        ............................0...  Packet is not signed
    Reserved: 0 (0x0)
    DFS:           0...............................  Command is not a DFS Operation
    NextCommand: 0 (0x0)
    MessageId: 2 (0x2)
    Reserved: 0 (0x0)
    TreeId: 0 (0x0)
    SessionId: 4398046511113 (0x40000000009)
    CSessionSetup: 
    Size: 25 (0x19)
    VcNumber: 0 (0x0)
    SecurityMode: Signing Enabled
    Capabilities: 1 (0x1)
    DFS:            ...............................1 DFS available
    Channel: 0 (0x0)
    SecurityBufferOffset: 88 (0x58)
    SecurityBufferLength: 245 (0xF5)
    Buffer: (245 bytes)
    
    
  6. The server processes the token received with GSS and gets a successful return code. The server responds to client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_SUCCESS and the response containing the output token from GSS.

    Smb2: R SESSION SETUP
    Smb2: R SESSION SETUP
    SMB2Header: 
    Size: 64 (0x40)
    CreditCharge: 0 (0x0)
    Status: STATUS_SUCCESS
    Command: SESSION SETUP
    Credits: 3 (0x3)
    Flags: 9 (0x9)
    ServerToRedir: ...............................1  Server to Client
    AsyncCommand:  ..............................0.  Command is not asynchronous
    Related:       .............................0..  Packet is single message
    Signed:        ............................1...  Packet is signed
    Reserved: 0 (0x0)
    DFS:           0...............................  Command is not a DFS Operation
    NextCommand: 0 (0x0)
    MessageId: 2 (0x2)
    Reserved: 0 (0x0)
    TreeId: 0 (0x0)
    SessionId: 4398046511113 (0x40000000009)
    RSessionSetup: 
    Size: 9 (0x9)
    SessionFlags: Normal session
    SecurityBufferOffset: 72 (0x48)
    SecurityBufferLength: 29 (0x1D)
    Buffer: (29 bytes)
    
    
  7. The client completes the authentication and sends an SMB2 TREE_CONNECT Request with the SessionId for the session, and a tree connect request containing the Unicodeshare name "\\smb2server\IPC$".

    Smb2: C TREE CONNECT \\smb2server\IPC$
    SMB2Header: 
    Size: 64 (0x40)
    CreditCharge: 0 (0x0)
    Status: STATUS_SUCCESS
    Command: TREE CONNECT
    Credits: 123 (0x7B)
    Flags: 0 (0x0)
    ServerToRedir: ...............................0  Client to Server
    AsyncCommand:  ..............................0.  Command is not asynchronous
    Related:       .............................0..  Packet is single message
    Signed:        ............................0...  Packet is not signed
    Reserved: 0 (0x0)
    DFS: 0...............................  Command is not a DFS Operation
    NextCommand: 0 (0x0)
    MessageId: 3 (0x3)
    Reserved: 0 (0x0)
    TreeId: 0 (0x0)
    SessionId: 4398046511113 (0x40000000009)
    CTreeConnect: 
    Size: 9 (0x9)
    Reserved: 0 (0x0)
    PathOffset: 72 (0x48)
    PathLength: 34 (0x22)
    Share: \\smb2server\IPC$
    
    
  8. The server responds with an SMB2 TREE_CONNECT Response with MessageId of 3, CreditResponse of 5, Status equal to STATUS_SUCCESS, SessionId of 0x40000000009, and TreeId set to the locally generated identifier 0x1.

    Smb2: R TREE CONNECT TID=0x1
    SMB2Header: 
    Size: 64 (0x40)
    CreditCharge: 0 (0x0)
    Status: STATUS_SUCCESS
    Command: TREE CONNECT
    Credits: 5 (0x5)
    Flags: 1 (0x1)
    ServerToRedir: ...............................1  Server to Client
    AsyncCommand:  ..............................0.  Command is not asynchronous
    Related:       .............................0..  Packet is single message
    Signed:        ............................0...  Packet is not signed
    Reserved: 0 (0x0)
    DFS:           0...............................  Command is not a DFS Operation
    NextCommand: 0 (0x0)
    MessageId: 3 (0x3)
    Reserved: 0 (0x0)
    TreeId: 1 (0x1)
    SessionId: 4398046511113 (0x40000000009)
    RTreeConnect: 
    Size: 16 (0x10)
    ShareType: Pipe
    Reserved: 0 (0x0)
    Flags: No Caching
    Capabilities: 0 (0x0)
    MaximalAccess: 2032127 (0x1F01FF)
    
    

Further operations can now continue, using the SessionId and TreeId generated in the connection to this share.

 
Show:
© 2014 Microsoft