smb学习日记

第三章

用户身份验证：If Client.Connection.ShareLevelAccessControl is FALSE

For each existing Connection to the server in Client.ConnectionTable[ServerName]，客户端必须从Client.Connection.SessionTable中找一个与建立共享连接的用户相匹配的session。客户端必须通过可以代表用户的security context或者uid来找到一个有效的session。

a，如果找到了这个session，那么必须重用这个session并且继续进程。

b，如果没找到，client应该重用一个已经识别的或者已经确定的已存在的连接。client必须为用户建立一个新的session，用户的凭证，也即用户名以及密码包括哈希的密码，必须存储在Client.Session.UserCredentials中。

signing：

The client-global Client.MessageSigningPolicy MUST be compared against the selected
Client.Connection.ServerSigningState, as per the following table. If the result is Blocked, the
underlying transport connection SHOULD be closed.

客户端的全局的消息签名机制必须同选择的客户端的连接的服务器签名状态进行比较，如果结果是阻塞的，相关的传输连接应该被关闭掉。

If the client's Client.MessageSigningPolicy is "Required", the client MUST set the
SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED bit in the Flags2 field of the
SMB_COM_SESSION_SETUP_ANDX request SMB header to indicate that the client refuses to
connect if signing is not used.

如果客户端的Client.MessageSigningPolicy是Required，客户端必须设置SMB_COM_SESSION_SETUP_ANDX的Flags2字段的SMB_FLAGS2_SMB_SECURITY_SIGNATURE_REQUIRED位请求SMBheader来指出除非使用了signing，否则客户端拒绝连接。

Figure 2: User authentication and session establishment sequence
The diagram illustrates the sequence of events during the protocol negotiation and session
establishment process. After the initial SMB_COM_NEGOTIATE command exchange has been
completed, the SMB_COM_NEGOTIATE exchange MUST NOT be repeated over the same SMB
connection; otherwise, the server disconnects the client by closing the underlying transport
connection. The parameters returned in the SMB_COM_NEGOTIATE response MUST be used when
creating new sessions over the same connection.

用户验证和session建立次序。

上图说明了在协议协商和session建立期间事情发展的先后顺序。当SMB_COM_NEGOTIATE命令呼唤完成后，这样的互换必须不能被相同的SMB连接重复发生。

另外，服务器通过关闭相关的传输连接来断掉客户端。SMB_COM_NEGOTIATE response的返回参数当在相同的连接上建立新的session时必须被使用到。

 

 Receiving an SMB_COM_SESSION_SETUP_ANDX Response

Activating Signing
If authentication has completed successfully, Client.Connection.IsSigningActive is FALSE, and
the targeted behavior for this connection is signed according to the description in section 3.2.4.2.3,
then the client MUST determine whether signing is required to be activated.
To determine whether signing is required to be active, the user security context that completed
authentication is verified. If the user that authenticated is a guest or is anonymous, then signing
MUST NOT be activated. Guest authentication is indicated by bit zero in the Action field of the
SMB_COM_SESSION_SETUP_ANDX response being set. Anonymous authentication is indicated by
the fact that no credentials are provided.

如果身份验证成功，并且。。这个属性是false，signing是否需要激活状态，需要看用户的 security context，如果用户是访客或者匿名用户，那signing必须不是激活的。

guest用户的SMB_COM_SESSION_SETUP_ANDX的response的actionfiled被值为零。

匿名用户没有提供任何证书。

 

If neither of these conditions are true, then the client MUST activate signing as follows:
If CAP_EXTENDED_SECURITY is set in Client.Connection.ServerCapabilities, the client MUST
use GSS-API to query the session key used in this authentication and store the
ExportedSessionKey returned by GSS-API into Client.Connection.SigningSessionKey. The
client MUST set Client.Connection.SigningChallengeResponse to NULL.
If CAP_EXTENDED_SECURITY is not set in Client.Connection.ServerCapabilities, the client
MUST use NTLM to query the session key used in this authentication.
For NTLMv1 – the client MUST store SessionBaseKey, returned by the NTOWFv1 function
defined in [MS-NLMP] section 3.3.1, into Client.Connection.SigningSessionKey.
For NTLMv2 – the client MUST store SessionBaseKey, returned by the NTOWFv2 function
defined in [MS-NLMP] section 3.3.2, into Client.Connection.SigningSessionKey.

 

如果以上的没有一条是TRUE，那client必须如下激活：

     如果CAP_EXTENDED_SECURITY在Client.Connection.ServerCapabilities被设置了，用户必须通过GSS-API来查询在本次验证的session  key。并且这个被GSS-API返回的session key存储在Client.Connection.SigningSessionKey

中。client必须设置Client.Connection.SigningChallengeResponse为NULL。

    如果CAP_EXTENDED_SECURITY没有在Client.Connection.ServerCapabilities中设置，client必须使用NTLM来查询本次身份验证的session key。

   对于NTLMv1，client必须把被NTOWFv1 function 返回的sessionbasekey存储在Client.Connection.SigningSessionKey中。

   对于 NTLMv，client必须把被NTOWFv2 function 返回的sessionbasekey存储在Client.Connection.SigningSessionKey中。