4.1 Connecting to a Share by Using a Multi-Protocol Negotiate
The following diagram shows the steps taken by a client that is negotiating SMB2 by using an SMB-style negotiate.
Figure 6: Client negotiating SMB2 with SMB-style negotiate
The client sends an SMB negotiate packet with the string "SMB 2.002" in the dialect string list, along with the other SMB dialects the client implements.
Smb: C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002 Protocol: SMB Command: Negotiate 114(0x72) SMBHeader: Command, TID: 0xFFFF, PID: 0xFEFF, UID: 0x0000, MID: 0x0000 Flags: 24 (0x18) Bit0: (.......0) SMB_FLAGS_LOCK_AND_READ_OK: LOCK_AND_READ and WRITE_AND_CLOSE not supported (obsoleted) Bit1: (......0.) SMB_FLAGS_SEND_NO_ACK [not implemented] Bit2: (.....0..) Reserved (value is zero) Bit3: (....1...) SMB_FLAGS_CASE_INSENSITIVE: SMB paths are case-insensitive Bit4: (...1....) SMB_FLAGS_CANONICALIZED_PATHS: Canonicalized File and pathnames (obsoleted) Bit5: (..0.....) SMB_FLAGS_OPLOCK: No Oplocks supported for OPEN, CREATE & CREATE_NEW (obsoleted) Bit6: (.0......) SMB_FLAGS_OPLOCK_NOTIFY_ANY: No Notifications supported for OPEN, CREATE & CREATE_NEW (obsoleted) Bit7: (0.......) SMB_FLAGS_SERVER_TO_REDIR: Command - SMB is being sent from the client Flags2: 51283 (0xC853) Bit00: (...............1) SMB_FLAGS2_KNOWS_LONG_NAMES: May return long file names Bit01: (..............1.) SMB_FLAGS2_KNOWS_EAS: Understands extended attributes Bit02: (.............0..) SMB_FLAGS2_SMB_SECURITY_SIGNATURE: Not security signature-enabled Bit03: (............0...) Reserved Bit04: (...........1....) Reserved Bit05: (..........0.....) SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED: SMB packets are signed Bit06: (.........1......) SMB_FLAGS2_IS_LONG_NAME: Any path name in the request is a long name Bit07: (........0.......) Reserved Bit08: (.......0........) Reserved Bit09: (......0.........) Reserved Bit10: (.....0..........) SMB_FLAGS2_REPARSE_PATH: Not requesting Reparse path Bit11: (....1...........) SMB_FLAGS2_EXTENDED_SECURITY: Aware of extended security Bit12: (...0............) SMB_FLAGS2_DFS: No DFS namespace Bit13: (..0.............) SMB_FLAGS2_PAGING_IO: Read operation will NOT be permitted if has no read permission Bit14: (.1..............) SMB_FLAGS2_NT_STATUS: Using 32-bit NT status error codes Bit15: (1...............) SMB_FLAGS2_UNICODE: Using UNICODE strings PIDHigh: 0 (0x0) SecuritySignature: 0x0 Reserved: 0 (0x0) TreeID: 65535 (0xFFFF) Reserved: 0 (0x0) UserID: 0 (0x0) MultiplexID: 0 (0x0) CNegotiate: WordCount: 0 (0x0) ByteCount: 109 (0x6D) Dialect: PC NETWORK PROGRAM 1.0 BufferFormat: Dialect 2(0x2) DialectName: PC NETWORK PROGRAM 1.0 Dialect: LANMAN1.0 BufferFormat: Dialect 2(0x2) DialectName: LANMAN1.0 Dialect: Windows for Workgroups 3.1a BufferFormat: Dialect 2(0x2) DialectName: Windows for Workgroups 3.1a Dialect: LM1.2X002 BufferFormat: Dialect 2(0x2) DialectName: LM1.2X002 Dialect: LANMAN2.1 BufferFormat: Dialect 2(0x2) DialectName: LANMAN2.1 Dialect: NT LM 0.12 BufferFormat: Dialect 2(0x2) DialectName: NT LM 0.12 Dialect: SMB 2.002 BufferFormat: Dialect 2(0x2) DialectName: SMB 2.002
The server receives the SMB negotiate request and finds dialect "SMB 2.002". The server responds with an SMB2 negotiate.
Smb2: R NEGOTIATE SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_SUCCESS Command: NEGOTIATE Credits: 1 (0x1) Flags: 1 (0x1) ServerToRedir: ...............................1 Server to Client AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................0... Packet is not signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 0 (0x0) Reserved: 0 (0x0) TreeId: 0 (0x0) SessionId: 0 (0x0) RNegotiate: Size: 65 (0x41) SecurityMode: Signing Enabled DialectRevision: 0x0202 Reserved: 0 (0x0) Guid: {3F5CF209-A4E5-0049-A7D6-6A456D5CA5CF} Capabilities: 1 (0x1) DFS: ...............................1 DFS available MaxTransactSize: 65536 (0x10000) MaxReadSize: 65536 (0x10000) MaxWriteSize: 65536 (0x10000) SystemTime: 127972992061679232 (0x1C6A6C21CAE2680) ServerStartTime: 127972985895467232 (0x1C6A6C0AD2538E0) SecurityBufferOffset: 128 (0x80) SecurityBufferLength: 30 (0x1E) Reserved2: 0 (0x0) Buffer:
The client queries GSS for the authentication token and sends an SMB2 SESSION_SETUP Request with the output token received from GSS.
Smb2: C SESSION SETUP Smb2: C SESSION SETUP SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_SUCCESS Command: SESSION SETUP Credits: 126 (0x7E) Flags: 0 (0x0) ServerToRedir: ...............................0 Client to Server AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................0... Packet is not signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 1 (0x1) Reserved: 0 (0x0) TreeId: 0 (0x0) SessionId: 0 (0x0) CSessionSetup: Size: 25 (0x19) VcNumber: 0 (0x0) SecurityMode: Signing Enabled Capabilities: 1 (0x1) DFS: ...............................1 DFS available Channel: 0 (0x0) SecurityBufferOffset: 88 (0x58) SecurityBufferLength: 74 (0x4A) Buffer: (74 bytes)
The server processes the token received with GSS and gets a return code indicating a subsequent round trip is required. The server responds to the client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_MORE_PROCESSING_REQUIRED and the response containing the output token from GSS.
Smb2: R SESSION SETUP (Status=STATUS_MORE_PROCESSING_REQUIRED) Smb2: R SESSION SETUP (Status=STATUS_MORE_PROCESSING_REQUIRED) SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_MORE_PROCESSING_REQUIRED Command: SESSION SETUP Credits: 2 (0x2) Flags: 1 (0x1) ServerToRedir: ...............................1 Server to Client AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................0... Packet is not signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 1 (0x1) Reserved: 0 (0x0) TreeId: 0 (0x0) SessionId: 4398046511113 (0x40000000009) RSessionSetup: Size: 9 (0x9) SessionFlags: Normal session SecurityBufferOffset: 72 (0x48) SecurityBufferLength: 219 (0xDB) Buffer: (219 bytes)
The client processes the received token with GSS and sends an SMB2 SESSION_SETUP Request with the output token received from GSS and the SessionId received on the previous response.
Smb2: C SESSION SETUP Smb2: C SESSION SETUP SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_SUCCESS Command: SESSION SETUP Credits: 125 (0x7D) Flags: 0 (0x0) ServerToRedir: ...............................0 Client to Server AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................0... Packet is not signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 2 (0x2) Reserved: 0 (0x0) TreeId: 0 (0x0) SessionId: 4398046511113 (0x40000000009) CSessionSetup: Size: 25 (0x19) VcNumber: 0 (0x0) SecurityMode: Signing Enabled Capabilities: 1 (0x1) DFS: ...............................1 DFS available Channel: 0 (0x0) SecurityBufferOffset: 88 (0x58) SecurityBufferLength: 245 (0xF5) Buffer: (245 bytes)
The server processes the token received with GSS and gets a successful return code. The server responds to client with an SMB2 SESSION_SETUP Response with Status equal to STATUS_SUCCESS and the response containing the output token from GSS.
Smb2: R SESSION SETUP Smb2: R SESSION SETUP SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_SUCCESS Command: SESSION SETUP Credits: 3 (0x3) Flags: 9 (0x9) ServerToRedir: ...............................1 Server to Client AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................1... Packet is signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 2 (0x2) Reserved: 0 (0x0) TreeId: 0 (0x0) SessionId: 4398046511113 (0x40000000009) RSessionSetup: Size: 9 (0x9) SessionFlags: Normal session SecurityBufferOffset: 72 (0x48) SecurityBufferLength: 29 (0x1D) Buffer: (29 bytes)
The client completes the authentication and sends an SMB2 TREE_CONNECT Request with the SessionId for the session, and a tree connect request containing the Unicode share name "\\smb2server\IPC$".
Smb2: C TREE CONNECT \\smb2server\IPC$ SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_SUCCESS Command: TREE CONNECT Credits: 123 (0x7B) Flags: 0 (0x0) ServerToRedir: ...............................0 Client to Server AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................0... Packet is not signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 3 (0x3) Reserved: 0 (0x0) TreeId: 0 (0x0) SessionId: 4398046511113 (0x40000000009) CTreeConnect: Size: 9 (0x9) Reserved: 0 (0x0) PathOffset: 72 (0x48) PathLength: 34 (0x22) Share: \\smb2server\IPC$
The server responds with an SMB2 TREE_CONNECT Response with MessageId of 3, CreditResponse of 5, Status equal to STATUS_SUCCESS, SessionId of 0x40000000009, and TreeId set to the locally generated identifier 0x1.
Smb2: R TREE CONNECT TID=0x1 SMB2Header: Size: 64 (0x40) CreditCharge: 0 (0x0) Status: STATUS_SUCCESS Command: TREE CONNECT Credits: 5 (0x5) Flags: 1 (0x1) ServerToRedir: ...............................1 Server to Client AsyncCommand: ..............................0. Command is not asynchronous Related: .............................0.. Packet is single message Signed: ............................0... Packet is not signed Reserved: 0 (0x0) DFS: 0............................... Command is not a DFS Operation NextCommand: 0 (0x0) MessageId: 3 (0x3) Reserved: 0 (0x0) TreeId: 1 (0x1) SessionId: 4398046511113 (0x40000000009) RTreeConnect: Size: 16 (0x10) ShareType: Pipe Reserved: 0 (0x0) Flags: No Caching Capabilities: 0 (0x0) MaximalAccess: 2032127 (0x1F01FF)
Further operations can now continue, using the SessionId and TreeId generated in the connection to this share.