[Changed title to reference SMB2 instead of SMB1]
Volker, Thank you for your patience. We updated [MS-SMB2] sections 3.3.5.5 Receiving an SMB2 SESSION_SETUP Request and 3.3.5.5.3 Handling GSS-API Authentication with the text below. It is different than how Windows presently behaves, which is called out by a Windows behavior note. We recommend that your code match the specification itself and not mimic Windows. Future Windows versions will match the specification provided below and existing Windows versions may be updated to follow the specification. Thank you for raising this issue to us. 3.3.5.5 Receiving an SMB2 SESSION_SETUP Request […] 6. If Session.State is Expired, the server MUST set Session.SecurityContext to NULL, and process the session setup request as specified in section 3.3.5.5.2. Otherwise, proceed to step 7. […] 8. If Session.State is Valid, the server MUST do the following: • If Connection.Dialect is "2.002", the server MUST fail the session setup request with STATUS_REQUEST_NOT_ACCEPTED. • Otherwise, the server MUST process the session setup request as specified in section 3.3.5.5.2. 3.3.5.5.2 Reauthenticating an Existing Session Session.State MUST be set to InProgress. Authentication is continued as specified in section 3.3.5.5.3. Note that the existing Session.SessionKey will be retained. 3.3.5.5.3 Handling GSS-API Authentication 3. If Session.SecurityContext is NULL, it MUST be set to a value representing the user which successfully authenticated this connection. The security context MUST be obtained from the GSS authentication subsystem. The server MUST invoke the GSS_Inquire_context call as specified in [RFC2743]<http://go.microsoft.com/fwlink/?LinkId=90378> section 2.2.6, passing the Session.SecurityContext as the input parameter, and set Session.UserName to the returned "src_name". If Session.SecurityContext is not NULL, the server MUST invoke the GSS_Inquire_context call as specified in [RFC2743]<http://go.microsoft.com/fwlink/?LinkId=90378> section 2.2.6, passing the Session.SecurityContext as the input parameter. If the returned "src_name" does not match with the Session.Username, the server SHOULD <WBN> fail the request with error code STATUS_LOGON_FAILURE. <WBN> Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 do not fail the request. -----Original Message----- From: Bryan Burgin Sent: Friday, October 19, 2012 4:00 PM To: "[email protected]" <[email protected]> Cc: "MSSolve Case Email" <[email protected]>; "[email protected]" <[email protected]>; "[email protected]" <[email protected]> Subject: [REG:112053067163367] 112053067163367 handle based permission checks in SMB1? Hello Volker, Incident number for tracking the SMB2 question is 112053067163367. Regards, Sreekanth Nadendla Microsoft Windows Open Specifications -----Original Message----- From: Sreekanth Nadendla Sent: Tuesday, May 29, 2012 11:31 PM To: [email protected] Cc: MSSolve Case Email; [email protected]; [email protected] Subject: RE: 112050346749387 handle based permission checks in SMB1? Hello Volker, I will create a new incident for SMB2 and let you know the incident number tomorrow. Regards, Sreekanth ________________________________________ From: Volker Lendecke [[email protected]] Sent: Thursday, May 24, 2012 11:10 PM To: Sreekanth Nadendla Cc: MSSolve Case Email; [email protected]; [email protected] Subject: Re: 112050346749387 handle based permission checks in SMB1? On Thu, May 24, 2012 at 09:29:12PM +0000, Sreekanth Nadendla wrote: > Hello Volker, > Our product group is investigating this issue closely. I will provide > you an update as soon as we conclude our review. Thank you for being > patient. Thanks for the update. My question was confined to SMB1. We will need the same information SMB2 in the future. Can you cover this in the same request, or should we open a new one? With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:[email protected]
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
