Receiving an SMB_COM_TREE_CONNECT_ANDX Request

The processing of an SMB_COM_TREE_CONNECT_ANDX request is handled as specified in [MS-CIFS] section with the following additions:<113>

Requesting Extended Information

If the TREE_CONNECT_ANDX_EXTENDED_RESPONSE is set in the Flags field of the SMB_COM_TREE_CONNECT_ANDX request, then the server MUST respond with the structure specified in section

The server MUST populate the SMB_Parameters.Words.OptionalSupport field of the response with a value of Server.Share.OptionalSupport.

The server SHOULD<114> set SMB_UNIQUE_FILE_NAME bit in the OptionalSupport field if Share.ShareFlags contains the SHI1005_FLAGS_ALLOW_NAMESPACE_CACHING constant.

The server MUST calculate the maximal share access rights for the user that requests the tree connect using the following algorithm.

 MaxRights = 0x00000000
 IF Server.Share.FileSecurity == NULL
   MaxRights = 0xFFFFFFFF
   FOR EACH AccessBit value defined in section
     Compute access for the user, using Server.Share.FileSecurity and 
      Server.Session.SecurityContext, as described in [MS-DTYP] section
     IF access was granted
       MaxRights = MaxRights | AccessBit;
     END IF

The computed MaxRights ACCESS_MASK MUST be placed in the SMB_Parameters.Words.MaximalShareAccessRights of the response. The server MUST set Server.TreeConnect.MaximalAccess to MaximalShareAccessRights. If no access is granted for the client on this share, the server MUST fail the request with STATUS_ACCESS_DENIED and MUST increase ServerStatistics.sts0_permerrors by 1.

Using the same algorithm, the SMB_Parameters.Words.GuestMaximalAccessRights field of the response SHOULD<115> be set to the calculated highest access rights the guest account has on this share. Instead of using Server.Session.SecurityContext, the server MUST use the guest account's security context. If the system does not support the guest account, then it MUST set GuestMaximalAccessRights to zero.

Session Key Protection

If the client has set the TREE_CONNECT_ANDX_EXTENDED_SIGNATURE bit in the Flags field of the SMB_COM_TREE_CONNECT_ANDX request, then the server MUST hash the session key of the calling user. This protects the key used for signing by making it unavailable to server-side applications.

The one-way hash MUST be performed on the user session key by using the HMAC-MD5 algorithm, as specified in [RFC2104]. The steps are as follows:

  1. Take the 16-byte user session key from Server.Session.SessionKey.

    • If this is an LM authentication where the session key is only 8 bytes, then zero extend it to 16 bytes.

    • If the session key is more than 16 bytes, then use only the first 16 bytes.

  2. Calculate the one-way hash as follows:

     CALL hmac_md5( SSKeyHash, 256, session key, session key length, digest )
     SET user session key = digest

    The resulting 16-byte digest is treated as the user's new session key and returned to the caller who requests it. SSKeyHash is the well-known constant array that is described in section

After the session key has been hashed, the server MUST place the hash into Server.Session.SessionKey and set Server.Session.SessionKeyState to Available, which allows applications to query the session key. If the TREE_CONNECT_ANDX_EXTENDED_SIGNATURE bit is not set, then the Server.Session.SessionKey is not changed and Server.Session.SessionKeyState MUST be set to Available.