The following terms are defined in [MS-GLOS]:
Discretionary Access Control List (DACL)
Distributed File System (DFS)
File System Control (FSCTL)
Globally Unique Identifier (GUID)
Security Identifier (SID)
System Access Control List (SACL)
The following terms are specific to this document:
Authenticated Context: The runtime state that is associated with the successful authentication of a security principal between the client and the server, such as the security principal itself, the cryptographic key that was generated during authentication, and the rights and privileges of this security principal.
Create Context: A variable-length attribute that is sent with an SMB2 CREATE Request (section 2.2.13) or SMB2 CREATE Response that either gives extra information about how the create shall be processed, or returns extra information about how the create was processed. See sections 220.127.116.11 and 18.104.22.168.
Durable Open: An open to a file or named pipe that allows the client to attempt to preserve and reestablish the open after a network disconnect.
I/O Control (IOCTL): A command that is issued to a target file system or target device in order to query or alter the behavior of the target; or to query or alter the data and attributes that are associated with the target or the objects that are exposed by the target.
Open: A runtime object that corresponds to a currently established access to a specific file or named pipe from a specific client to a specific server, using a specific user security context. Both clients and servers maintain opens that represent active accesses.
Oplock: An opportunistic lock, or oplock, is a mechanism that is designed to allow clients to dynamically alter their buffering strategy in a consistent manner in order to increase performance and reduce network use. The network performance for remote file operations may be increased if a client can locally buffer file data, which reduces or eliminates the need to send and receive network packets. For example, a client may not have to write information into a file on a remote server if the client knows that no other process is accessing the data. Likewise, the client may buffer read-ahead data from the remote file if the client knows that no other process is writing data to the remote file.
There are three types of oplocks:
- An exclusive oplock allows a client to open a file for exclusive access and allows the client to perform arbitrary buffering.
- A batch oplock allows a client to keep a file open on the server even though the local accessor on the client machine has closed the file.
- A Level II oplock indicates that there are multiple readers of a file and no writers.
When a client opens a file, it requests that the server grant it a particular type of oplock on the file. The response from the server indicates the type of oplock that is granted to the client. The client uses the granted oplock type to adjust its buffering policy.
Session: An authenticated context that is established between an SMB 2.0 Protocol client and an SMB 2.0 Protocol server over an SMB 2.0 Protocol connection for a specific security principal. There could be multiple active sessions over a single SMB 2.0 Protocol connection. The SessionId field in the SMB2 packet header (section 2.2.1) distinguishes the various sessions.
Share: A local resource that is offered by an SMB 2.0 Protocol server for access by SMB 2.0 Protocol clients over the network. The SMB 2.0 Protocol defines three types of shares: file (or disk) shares, which represent a directory tree and its included files; pipe shares, which expose access to named pipes; and print shares, which provide access to print resources on the server. A pipe share as defined by the SMB 2.0 Protocol must always have the name "IPC$". A pipe share must only allow named pipe operations and DFS referral requests to itself.
Symbolic Link: A symbolic link is a reparse point that points to another file system object. The object being pointed to is called the target. Symbolic links are transparent to users; the links appear as normal files or directories, and can be acted upon by the user or application in exactly the same manner. Symbolic links can be created using the FSCTL_SET_REPARSE_POINT request as specified in [MS-FSCC] section 2.3.53. They can be deleted using the FSCTL_DELETE_REPARSE_POINT request as specified in section 2.3.7 of [MS-FSCC]. Symbolic links are available in NTFS starting with Windows Vista and Windows Server 2008. Implementing symbolic links is optional for a server.
Tree Connect: A connection by a specific session on an SMB 2.0 Protocol client to a specific share on an SMB 2.0 Protocol server over an SMB 2.0 Protocol connection. There could be multiple tree connects over a single SMB 2.0 Protocol connection. The TreeId field in the SMB2 packet header (section 2.2.1) distinguishes the various tree connects.
WorldSid: A SID with the specific value of S-1-1-0.
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as described in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.