Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

4.1 Connecting to a Share by Using a Multi-Protocol Negotiate

The following diagram shows the steps taken by a client that is negotiating SMB2 by using an SMB-style negotiate.

MS-SMB2_pictbc7dc38c-f5fc-cc82-77b8-7280a5b917cd.png

Figure 6: Client negotiating SMB2 with SMB-style negotiate

  1. The client sends an SMB negotiate packet with the string "SMB 2.002" in the dialect string list, along with the other SMB dialects the client implements.

  2.  Smb: C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
     Protocol: SMB
     Command: Negotiate 114(0x72)
     SMBHeader: Command, TID: 0xFFFF, PID: 0xFEFF, UID: 0x0000, MID: 0x0000
     Flags: 24 (0x18)
     Bit0: (.......0) SMB_FLAGS_LOCK_AND_READ_OK: LOCK_AND_READ and WRITE_AND_CLOSE not supported (obsoleted)
     Bit1: (......0.) SMB_FLAGS_SEND_NO_ACK [not implemented]
     Bit2: (.....0..) Reserved (must be zero)
     Bit3: (....1...) SMB_FLAGS_CASE_INSENSITIVE: SMB paths are case-insensitive
     Bit4: (...1....) SMB_FLAGS_CANONICALIZED_PATHS: Canonicalized File and pathnames (obsoleted)
     Bit5: (..0.....) SMB_FLAGS_OPLOCK: No Oplocks supported for OPEN, CREATE & CREATE_NEW (obsoleted)
     Bit6: (.0......) SMB_FLAGS_OPLOCK_NOTIFY_ANY: No Notifications supported for OPEN, CREATE & CREATE_NEW (obsoleted)
     Bit7: (0.......) SMB_FLAGS_SERVER_TO_REDIR: Command - SMB is being sent from the client
     Flags2: 51283 (0xC853)
     Bit00: (...............1) SMB_FLAGS2_KNOWS_LONG_NAMES: May return long file names
     Bit01: (..............1.) SMB_FLAGS2_KNOWS_EAS: Understands extended attributes
     Bit02: (.............0..) SMB_FLAGS2_SMB_SECURITY_SIGNATURE: Not security signature-enabled
     Bit03: (............0...) Reserved
     Bit04: (...........1....) Reserved
     Bit05: (..........0.....) SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED: SMB packets must be signed
     Bit06: (.........1......) SMB_FLAGS2_IS_LONG_NAME: Any path name in the request is a long name
     Bit07: (........0.......) Reserved
     Bit08: (.......0........) Reserved
     Bit09: (......0.........) Reserved
     Bit10: (.....0..........) SMB_FLAGS2_REPARSE_PATH: Not requesting Reparse path
     Bit11: (....1...........) SMB_FLAGS2_EXTENDED_SECURITY: Aware of extended security
     Bit12: (...0............) SMB_FLAGS2_DFS: No DFS namespace
     Bit13: (..0.............) SMB_FLAGS2_PAGING_IO: Read operation will NOT be permitted if has no read permission
     Bit14: (.1..............) SMB_FLAGS2_NT_STATUS: Using 32-bit NT status error codes
     Bit15: (1...............) SMB_FLAGS2_UNICODE: Using UNICODE strings
     PIDHigh: 0 (0x0)
     SecuritySignature: 0x0
     Reserved: 0 (0x0)
     TreeID: 65535 (0xFFFF)
     Reserved: 0 (0x0)
     UserID: 0 (0x0)
     MultiplexID: 0 (0x0)
     CNegotiate: 
     WordCount: 0 (0x0)
     ByteCount: 109 (0x6D)
     Dialect: PC NETWORK PROGRAM 1.0
     BufferFormat: Dialect 2(0x2)
     DialectName: PC NETWORK PROGRAM 1.0
     Dialect: LANMAN1.0
     BufferFormat: Dialect 2(0x2)
     DialectName: LANMAN1.0
     Dialect: Windows for Workgroups 3.1a
     BufferFormat: Dialect 2(0x2)
     DialectName: Windows for Workgroups 3.1a
     Dialect: LM1.2X002
     BufferFormat: Dialect 2(0x2)
     DialectName: LM1.2X002
     Dialect: LANMAN2.1
     BufferFormat: Dialect 2(0x2)
     DialectName: LANMAN2.1
     Dialect: NT LM 0.12
     BufferFormat: Dialect 2(0x2)
     DialectName: NT LM 0.12
     Dialect: SMB 2.002
     BufferFormat: Dialect 2(0x2)
     DialectName: SMB 2.002
      
      
      
    
  3. The server receives the SMB negotiate request and finds dialect "SMB 2.002". The server responds with an SMB2 negotiate.

  4.  Smb2: R NEGOTIATE
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_SUCCESS
     Command: NEGOTIATE
     Credits: 1 (0x1)
     Flags: 1 (0x1)
     ServerToRedir: ...............................1  Server to Client
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................0...  Packet is not signed
     Reserved: 0 (0x0)
     DFS:           0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 0 (0x0)
     Reserved: 0 (0x0)
     TreeId: 0 (0x0)
     SessionId: 0 (0x0)
     RNegotiate: 
     Size: 65 (0x41)
     SecurityMode: Signing Enabled
     DialectRevision: 0x0202
     Reserved: 0 (0x0)
     Guid: {3F5CF209-A4E5-0049-A7D6-6A456D5CA5CF}
     Capabilities: 1 (0x1)
     DFS:           ...............................1  DFS available
     MaxTransactSize: 65536 (0x10000)
     MaxReadSize: 65536 (0x10000)
     MaxWriteSize: 65536 (0x10000)
     SystemTime: 127972992061679232 (0x1C6A6C21CAE2680)
     ServerStartTime: 127972985895467232 (0x1C6A6C0AD2538E0)
     SecurityBufferOffset: 128 (0x80)
     SecurityBufferLength: 30 (0x1E)
     Reserved2: 0 (0x0)
     Buffer:
      
      
    
  5. The client queries GSS for the authentication token and sends an SMB2 SESSION_SETUP Request with the output token received from GSS.

  6.  Smb2: C SESSION SETUP
     Smb2: C SESSION SETUP
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_SUCCESS
     Command: SESSION SETUP
     Credits: 126 (0x7E)
     Flags: 0 (0x0)
     ServerToRedir: ...............................0  Client to Server
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................0...  Packet is not signed
     Reserved: 0 (0x0)
     DFS:           0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 1 (0x1)
     Reserved: 0 (0x0)
     TreeId: 0 (0x0)
     SessionId: 0 (0x0)
     CSessionSetup: 
     Size: 25 (0x19)
     VcNumber: 0 (0x0)
     SecurityMode: Signing Enabled
     Capabilities: 1 (0x1)
     DFS:            ...............................1 DFS available
     Channel: 0 (0x0)
     SecurityBufferOffset: 88 (0x58)
     SecurityBufferLength: 74 (0x4A)
     Buffer: (74 bytes)
      
      
    
  7. The server processes the token received with GSS and gets a return code indicating a subsequent round trip is required. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_MORE_PROCESSING_REQUIRED and the response containing the output token from GSS.

  8.  Smb2: R SESSION SETUP (Status=STATUS_MORE_PROCESSING_REQUIRED)
     Smb2: R SESSION SETUP (Status=STATUS_MORE_PROCESSING_REQUIRED)
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_MORE_PROCESSING_REQUIRED
     Command: SESSION SETUP
     Credits: 2 (0x2)
     Flags: 1 (0x1)
     ServerToRedir: ...............................1  Server to Client
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................0...  Packet is not signed
     Reserved: 0 (0x0)
     DFS:           0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 1 (0x1)
     Reserved: 0 (0x0)
     TreeId: 0 (0x0)
     SessionId: 4398046511113 (0x40000000009)
     RSessionSetup: 
     Size: 9 (0x9)
     SessionFlags: Normal session
     SecurityBufferOffset: 72 (0x48)
     SecurityBufferLength: 219 (0xDB)
     Buffer: (219 bytes)
      
      
    
  9. The client processes the received token with GSS and sends an SMB2 SESSION_SETUP Request with the output token received from GSS and the SessionId received on the previous response.

  10.  Smb2: C SESSION SETUP
     Smb2: C SESSION SETUP
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_SUCCESS
     Command: SESSION SETUP
     Credits: 125 (0x7D)
     Flags: 0 (0x0)
     ServerToRedir: ...............................0  Client to Server
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................0...  Packet is not signed
     Reserved: 0 (0x0)
     DFS:           0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 2 (0x2)
     Reserved: 0 (0x0)
     TreeId: 0 (0x0)
     SessionId: 4398046511113 (0x40000000009)
     CSessionSetup: 
     Size: 25 (0x19)
     VcNumber: 0 (0x0)
     SecurityMode: Signing Enabled
     Capabilities: 1 (0x1)
     DFS:            ...............................1 DFS available
     Channel: 0 (0x0)
     SecurityBufferOffset: 88 (0x58)
     SecurityBufferLength: 245 (0xF5)
     Buffer: (245 bytes)
      
      
    
  11. The server processes the token received with GSS and gets a successful return code. The server responds to client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_SUCCESS and the response containing the output token from GSS.

  12.  Smb2: R SESSION SETUP
     Smb2: R SESSION SETUP
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_SUCCESS
     Command: SESSION SETUP
     Credits: 3 (0x3)
     Flags: 9 (0x9)
     ServerToRedir: ...............................1  Server to Client
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................1...  Packet is signed
     Reserved: 0 (0x0)
     DFS:           0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 2 (0x2)
     Reserved: 0 (0x0)
     TreeId: 0 (0x0)
     SessionId: 4398046511113 (0x40000000009)
     RSessionSetup: 
     Size: 9 (0x9)
     SessionFlags: Normal session
     SecurityBufferOffset: 72 (0x48)
     SecurityBufferLength: 29 (0x1D)
     Buffer: (29 bytes)
      
      
    
  13. The client completes the authentication and sends an SMB2 TREE_CONNECT Request with the SessionId for the session, and a tree connect request containing the Unicode share name "\\smb2server\IPC$".

  14.  Smb2: C TREE CONNECT \\smb2server\IPC$
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_SUCCESS
     Command: TREE CONNECT
     Credits: 123 (0x7B)
     Flags: 0 (0x0)
     ServerToRedir: ...............................0  Client to Server
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................0...  Packet is not signed
     Reserved: 0 (0x0)
     DFS: 0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 3 (0x3)
     Reserved: 0 (0x0)
     TreeId: 0 (0x0)
     SessionId: 4398046511113 (0x40000000009)
     CTreeConnect: 
     Size: 9 (0x9)
     Reserved: 0 (0x0)
     PathOffset: 72 (0x48)
     PathLength: 34 (0x22)
     Share: \\smb2server\IPC$
      
      
    
  15. The server responds with an SMB2 TREE_CONNECT Response with MessageId of 3, CreditResponse of 5, Status equal to STATUS_SUCCESS, SessionId of 0x40000000009, and TreeId set to the locally generated identifier 0x1.

  16.  Smb2: R TREE CONNECT TID=0x1
     SMB2Header: 
     Size: 64 (0x40)
     CreditCharge: 0 (0x0)
     Status: STATUS_SUCCESS
     Command: TREE CONNECT
     Credits: 5 (0x5)
     Flags: 1 (0x1)
     ServerToRedir: ...............................1  Server to Client
     AsyncCommand:  ..............................0.  Command is not asynchronous
     Related:       .............................0..  Packet is single message
     Signed:        ............................0...  Packet is not signed
     Reserved: 0 (0x0)
     DFS:           0...............................  Command is not a DFS Operation
     NextCommand: 0 (0x0)
     MessageId: 3 (0x3)
     Reserved: 0 (0x0)
     TreeId: 1 (0x1)
     SessionId: 4398046511113 (0x40000000009)
     RTreeConnect: 
     Size: 16 (0x10)
     ShareType: Pipe
     Reserved: 0 (0x0)
     Flags: No Caching
     Capabilities: 0 (0x0)
     MaximalAccess: 2032127 (0x1F01FF)
      
      
    

Further operations can now continue, using the SessionId and TreeId generated in the connection to this share.

Show:
© 2015 Microsoft