22.214.171.124 Receiving an SMB_COM_TREE_CONNECT_ANDX Request
Requesting Extended Information
If the TREE_CONNECT_ANDX_EXTENDED_RESPONSE is set in the Flags field of the SMB_COM_TREE_CONNECT_ANDX request, then the server MUST respond with the structure specified in section 126.96.36.199.2.
The server MUST populate the SMB_Parameters.Words.OptionalSupport field of the response with a value of Server.Share.OptionalSupport.
The server SHOULD<115> set SMB_UNIQUE_FILE_NAME bit in the OptionalSupport field if Share.ShareFlags contains the SHI1005_FLAGS_ALLOW_NAMESPACE_CACHING constant.
The server MUST calculate the maximal share access rights for the user that requests the tree connect using the following algorithm.
MaxRights = 0x00000000 IF Server.Share.FileSecurity == NULL MaxRights = 0xFFFFFFFF ELSE FOR EACH AccessBit value defined in section 188.8.131.52 Compute access for the user, using Server.Share.FileSecurity and Server.Session.SecurityContext, as described in [MS-DTYP] section 184.108.40.206. IF access was granted MaxRights = MaxRights | AccessBit; END IF END FOR END IF
The computed MaxRights ACCESS_MASK MUST be placed in the SMB_Parameters.Words.MaximalShareAccessRights of the response. The server MUST set TreeConnect.MaximalAccess to MaximalShareAccessRights. If no access is granted for the client on this share, the server MUST fail the request with STATUS_ACCESS_DENIED and MUST increase ServerStatistics.sts0_permerrors by 1.
Using the same algorithm, the SMB_Parameters.Words.GuestMaximalAccessRights field of the response SHOULD<116> be set to the calculated highest access rights the guest account has on this share. Instead of using Server.Session.SecurityContext, the server MUST use the guest account's security context. If the system does not support the guest account, then it MUST set GuestMaximalAccessRights to zero.
Session Key Protection
If the client has set the TREE_CONNECT_ANDX_EXTENDED_SIGNATURE bit in the Flags field of the SMB_COM_TREE_CONNECT_ANDX request, then the server MUST hash the session key of the calling user. This protects the key used for signing by making it unavailable to server-side applications.
The one-way hash MUST be performed on the user session key by using the HMAC-MD5 algorithm, as specified in [RFC2104]. The steps are as follows:
Take the 16-byte user session key from Server.Session.SessionKey.
If this is an LM authentication where the session key is only 8 bytes, then zero extend it to 16 bytes.
If the session key is more than 16 bytes, then use only the first 16 bytes.
Calculate the one-way hash as follows:
CALL hmac_md5( SSKeyHash, 256, session key, session key length, digest ) SET user session key = digest
The resulting 16-byte digest is treated as the user's new session key and returned to the caller who requests it. SSKeyHash is the well-known constant array that is described in section 220.127.116.11.
After the session key has been hashed, the server MUST place the hash into Server.Session.SessionKey and set Server.Session.SessionKeyState to Available, which allows applications to query the session key. If the TREE_CONNECT_ANDX_EXTENDED_SIGNATURE bit is not set, then the Server.Session.SessionKey is not changed and Server.Session.SessionKeyState MUST be set to Available.