Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The following diagram shows the steps taken by a client that is negotiating SMB2 by using an SMB-style negotiate.
Figure 6: Client negotiating SMB2 with SMB-style negotiate
The client sends an SMB negotiate packet with the string "SMB 2.002" in the dialect string list, along with the other SMB dialects the client implements.
Smb: C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002 Protocol: SMB Command: Negotiate 114(0x72) SMBHeader: Command, TID: 0xFFFF, PID: 0xFEFF, UID: 0x0000, MID: 0x0000 Flags: 24 (0x18) Bit0: (.......0) SMB_FLAGS_LOCK_AND_READ_OK: LOCK_AND_READ and WRITE_AND_CLOSE not supported (obsoleted) Bit1: (......0.) SMB_FLAGS_SEND_NO_ACK [not implemented] Bit2: (.....0..) Reserved (value is zero) Bit3: (....1...) SMB_FLAGS_CASE_INSENSITIVE: SMB paths are case-insensitive Bit4: (...1....) SMB_FLAGS_CANONICALIZED_PATHS: Canonicalized File and pathnames (obsoleted) Bit5: (..0.....) SMB_FLAGS_OPLOCK: No Oplocks supported for OPEN, CREATE & CREATE_NEW (obsoleted) Bit6: (.0......) SMB_FLAGS_OPLOCK_NOTIFY_ANY: No Notifications supported for OPEN, CREATE & CREATE_NEW (obsoleted) Bit7: (0.......) SMB_FLAGS_SERVER_TO_REDIR: Command - SMB is being sent from the client Flags2: 51283 (0xC853) Bit00: (...............1) SMB_FLAGS2_KNOWS_LONG_NAMES: May return long file names Bit01: (..............1.) SMB_FLAGS2_KNOWS_EAS: Understands extended attributes Bit02: (.............0..) SMB_FLAGS2_SMB_SECURITY_SIGNATURE: Not security signature-enabled Bit03: (............0...) Reserved Bit04: (...........1....) Reserved Bit05: (..........0.....) SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED: SMB packets are signed Bit06: (.........1......) SMB_FLAGS2_IS_LONG_NAME: Any path name in the request is a long name Bit07: (........0.......) Reserved Bit08: (.......0........) Reserved Bit09: (......0.........) Reserved Bit10: (.....0..........) SMB_FLAGS2_REPARSE_PATH: Not requesting Reparse path Bit11: (....1...........) SMB_FLAGS2_EXTENDED_SECURITY: Aware of extended security Bit12: (...0............) SMB_FLAGS2_DFS: No DFS namespace Bit13: (..0.............) SMB_FLAGS2_PAGING_IO: Read operation will NOT be permitted if has no read permission Bit14: (.1..............) SMB_FLAGS2_NT_STATUS: Using 32-bit NT status error codes Bit15: (1...............) SMB_FLAGS2_UNICODE: Using UNICODE strings PIDHigh: 0 (0x0) SecuritySignature: 0x0 Reserved: 0 (0x0) TreeID: 65535 (0xFFFF) Reserved: 0 (0x0) UserID: 0 (0x0) MultiplexID: 0 (0x0) CNegotiate: WordCount: 0 (0x0) ByteCount: 109 (0x6D) Dialect: PC NETWORK PROGRAM 1.0 BufferFormat: Dialect 2(0x2) DialectName: PC NETWORK PROGRAM 1.0 Dialect: LANMAN1.0 BufferFormat: Dialect 2(0x2) DialectName: LANMAN1.0 Dialect: Windows for Workgroups 3.1a BufferFormat: Dialect 2(0x2) DialectName: Windows for Workgroups 3.1a Dialect: LM1.2X002 BufferFormat: Dialect 2(0x2) DialectName: LM1.2X002 Dialect: LANMAN2.1 BufferFormat: Dialect 2(0x2) DialectName: LANMAN2.1 Dialect: NT LM 0.12 BufferFormat: Dialect 2(0x2) DialectName: NT LM 0.12 Dialect: SMB 2.002 BufferFormat: Dialect 2(0x2) DialectName: SMB 2.002
The server receives the SMB negotiate request and finds dialect "SMB 2.002". The server responds with an SMB2 negotiate.
Smb2: R NEGOTIATE SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_SUCCESS Command: NEGOTIATE Credits: 1 (0x1) Flags: 1 (0x1) ServerToRedir: ...............................1 Server to Client AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................0... Packet is not signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 0 (0x0) Reserved: 0 (0x0) TreeId: 0 (0x0) SessionId: 0 (0x0) RNegotiate: Size: 65 (0x41) SecurityMode: Signing Enabled DialectRevision: 0x0202 Reserved: 0 (0x0) Guid: {3F5CF209-A4E5-0049-A7D6-6A456D5CA5CF} Capabilities: 1 (0x1) DFS: ...............................1 DFS available MaxTransactSize: 65536 (0x10000) MaxReadSize: 65536 (0x10000) MaxWriteSize: 65536 (0x10000) SystemTime: 127972992061679232 (0x1C6A6C21CAE2680) ServerStartTime: 127972985895467232 (0x1C6A6C0AD2538E0) SecurityBufferOffset: 128 (0x80) SecurityBufferLength: 30 (0x1E) Reserved2: 0 (0x0) Buffer:The client queries GSS for the authentication token and sends an SMB2 SESSION_SETUP Request with the output token received from GSS.
Smb2: C SESSION SETUP Smb2: C SESSION SETUP SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_SUCCESS Command: SESSION SETUP Credits: 126 (0x7E) Flags: 0 (0x0) ServerToRedir: ...............................0 Client to Server AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................0... Packet is not signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 1 (0x1) Reserved: 0 (0x0) TreeId: 0 (0x0) SessionId: 0 (0x0) CSessionSetup: Size: 25 (0x19) VcNumber: 0 (0x0) SecurityMode: Signing Enabled Capabilities: 1 (0x1) DFS: ...............................1 DFS available Channel: 0 (0x0) SecurityBufferOffset: 88 (0x58) SecurityBufferLength: 74 (0x4A) Buffer: (74 bytes)
The server processes the token received with GSS and gets a return code indicating a subsequent round trip is required. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_MORE_PROCESSING_REQUIRED and the response containing the output token from GSS.
Smb2: R SESSION SETUP (Status=STATUS_MORE_PROCESSING_REQUIRED) Smb2: R SESSION SETUP (Status=STATUS_MORE_PROCESSING_REQUIRED) SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_MORE_PROCESSING_REQUIRED Command: SESSION SETUP Credits: 2 (0x2) Flags: 1 (0x1) ServerToRedir: ...............................1 Server to Client AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................0... Packet is not signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 1 (0x1) Reserved: 0 (0x0) TreeId: 0 (0x0) SessionId: 4398046511113 (0x40000000009) RSessionSetup: Size: 9 (0x9) SessionFlags: Normal session SecurityBufferOffset: 72 (0x48) SecurityBufferLength: 219 (0xDB) Buffer: (219 bytes)
The client processes the received token with GSS and sends an SMB2 SESSION_SETUP Request with the output token received from GSS and the SessionId received on the previous response.
Smb2: C SESSION SETUP Smb2: C SESSION SETUP SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_SUCCESS Command: SESSION SETUP Credits: 125 (0x7D) Flags: 0 (0x0) ServerToRedir: ...............................0 Client to Server AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................0... Packet is not signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 2 (0x2) Reserved: 0 (0x0) TreeId: 0 (0x0) SessionId: 4398046511113 (0x40000000009) CSessionSetup: Size: 25 (0x19) VcNumber: 0 (0x0) SecurityMode: Signing Enabled Capabilities: 1 (0x1) DFS: ...............................1 DFS available Channel: 0 (0x0) SecurityBufferOffset: 88 (0x58) SecurityBufferLength: 245 (0xF5) Buffer: (245 bytes)
The server processes the token received with GSS and gets a successful return code. The server responds to client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_SUCCESS and the response containing the output token from GSS.
Smb2: R SESSION SETUP Smb2: R SESSION SETUP SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_SUCCESS Command: SESSION SETUP Credits: 3 (0x3) Flags: 9 (0x9) ServerToRedir: ...............................1 Server to Client AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................1... Packet is signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 2 (0x2) Reserved: 0 (0x0) TreeId: 0 (0x0) SessionId: 4398046511113 (0x40000000009) RSessionSetup: Size: 9 (0x9) SessionFlags: Normal session SecurityBufferOffset: 72 (0x48) SecurityBufferLength: 29 (0x1D) Buffer: (29 bytes)
The client completes the authentication and sends an SMB2 TREE_CONNECT Request with the SessionId for the session, and a tree connect request containing the Unicode share name "\\smb2server\IPC$".
Smb2: C TREE CONNECT \\smb2server\IPC$ SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_SUCCESS Command: TREE CONNECT Credits: 123 (0x7B) Flags: 0 (0x0) ServerToRedir: ...............................0 Client to Server AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................0... Packet is not signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 3 (0x3) Reserved: 0 (0x0) TreeId: 0 (0x0) SessionId: 4398046511113 (0x40000000009) CTreeConnect: Size: 9 (0x9) Reserved: 0 (0x0) PathOffset: 72 (0x48) PathLength: 34 (0x22) Share: \\smb2server\IPC$
The server responds with an SMB2 TREE_CONNECT Response with MessageId of 3, CreditResponse of 5, Status equal to STATUS_SUCCESS, SessionId of 0x40000000009, and TreeId set to the locally generated identifier 0x1.
Smb2: R TREE CONNECT TID=0x1 SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_SUCCESS Command: TREE CONNECT Credits: 5 (0x5) Flags: 1 (0x1) ServerToRedir: ...............................1 Server to Client AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................0... Packet is not signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 3 (0x3) Reserved: 0 (0x0) TreeId: 1 (0x1) SessionId: 4398046511113 (0x40000000009) RTreeConnect: Size: 16 (0x10) ShareType: Pipe Reserved: 0 (0x0) Flags: No Caching Capabilities: 0 (0x0) MaximalAccess: 2032127 (0x1F01FF)
Further operations can now continue, using the SessionId and TreeId generated in the connection to this share.