This SMB is used to further "Set up" the session normally just established via the negotiate protocol.
One primary function is to perform a "user logon" in the case where the server is in user level security mode. The uid in the SMB header is set by the client to be the userid desired for the accountname and validated by the accountpassword.
If the negotiated protocol is prior to NT LM 0.12, the format of SMB_COM_SESSION_SETUP_ANDX is:
| Client Request ============================== |
Description ===================================== |
| UCHAR WordCount; | Count of parameter words = 10 |
| UCHAR AndXCommand; | Secondary (X) command; 0xFF = none |
| UCHAR AndXReserved; | Reserved (must be 0) |
| USHORT AndXOffset; | Offset to next command WordCount |
| USHORT MaxBufferSize; | Client maximum buffer size |
| USHORT MaxMpxCount; | Actual maximum multiplexed pending requests |
| USHORT VcNumber; | 0 = first (only), nonzero=additional VC number |
| ULONG SessionKey; | Session key (valid iff VcNumber != 0) |
| USHORT PasswordLength; | Account password size |
| ULONG Reserved; | Must be 0 |
| USHORT ByteCount; | Count of data bytes; min = 0 |
| UCHAR AccountPassword[]; | Account Password |
| STRING AccountName[]; | Account Name |
| STRING PrimaryDomain[]; | Client's primary domain |
| STRING NativeOS[]; | Client's native operating system |
| STRING NativeLanMan[]; | Client's native LAN Manager type |
and the response is:
| Server Response ================================== |
Description ================================= |
| UCHAR WordCount; | Count of parameter words = 3 |
| UCHAR AndXCommand; | Secondary (X) command; 0xFF = none |
| UCHAR AndXReserved; | Reserved (must be 0) |
| USHORT AndXOffset; | Offset to next command WordCount |
| USHORT Action; | Request mode: |
| bit0 = logged in as GUEST | |
| USHORT ByteCount; | Count of data bytes |
| STRING NativeOS[]; | Server's native operating system |
| STRING NativeLanMan[]; | Server's native LAN Manager type |
| STRING PrimaryDomain[]; | Server's primary domain |
If the server is in "share level security mode", the account name and passwd should be ignored by the server.
If challenge/response authentication is not being used, AccountPassword should be a null terminated ASCII string with PasswordLength set to the string size including the null; the password will case insensitive. If challenge/response authentication is being used (see section 2.10), then AccountPassword will be the response to the server's challenge, and PasswordLength should be set to its length.
The server validates the name and password supplied and if valid, it registers the user identifier on this session as representing the specified AccountName. The Uid field in the SMB header will then be used to validate access on subsequent SMB requests. The SMB requests where permission checks are required are those which refer to a symbolically named resource such as SMB_COM_OPEN, SMB_COM_RENAME, SMB_COM_DELETE, etc.. The value of the Uid is relative to a specific client/server session so it is possible to have the same Uid value represent two different users on two different sessions at the server.
Multiple session setup commands may be sent to register additional users on this session. If the server receives an additional SMB_COM_SESSION_SETUP_ANDX, only the Uid, AccountName and AccountPassword fields need contain valid values (the server MUST ignore the other fields).
The client writes the name of its domain in PrimaryDomain if it knows what the domain name is. If the domain name is unknown, the client either encodes it as a NULL string, or as a question mark.
If bit0 of Action is set, this informs the client that although the server did not recognize the AccountName, it logged the user in as a guest. This is optional behavior by the server, and in any case one would ordinarily expect guest privileges to limited.
Another function of the Session Set Up protocol is to inform the server of the maximum values which will be utilized by this client. Here MaxBufferSize is the maximum message size which the client can receive. Thus although the server may support 16k buffers (as returned in the SMB_COM_NEGOTIATE response), if the client only has 4k buffers, the value of MaxBufferSize here would be 4096. The minimum allowable value for MaxBufferSize is 1024. The SMB_COM_NEGOTIATE response includes the server buffer size supported. Thus this is the maximum SMB message size which the client can send to the server. This size may be larger than the size returned to the server from the client via the SMB_COM_SESSION_SETUP_AND X protocol which is the maximum SMB message size which the server may send to the client. Thus if the server's buffer size were 4k and the client's buffer size were only 2K, the client could send up to 4k (standard) write requests but must only request up to 2k for (standard) read requests.
The field, MaxMpxCount informs the server of the maximum number of requests which the client will have outstanding to the server simultaneously (see sections 5.13 and 5.24).
The VcNumber field specifies whether the client wants this to be the first VC or an additional VC.
The values for MaxBufferSize, MaxMpxCount, and VcNumber must be less than or equal to the maximum values supported by the server as returned in the SMB_COM_NEGOTIATE response.
If the server gets a SMB_COM_SESSION_SETUP_ANDX request with VcNumber of 0 and other VCs are still connected to that client, they will be aborted thus freeing any resources held by the server. This condition could occur if the client was rebooted and reconnected to the server before the transport level had informed the server of the previous VC termination.
If the negotiated SMB dialect is "NT LM 0.12" or later, the format of the response SMB is unchanged, but the request is:
| Client Request ============================== |
Description ===================================== |
| UCHAR WordCount; | Count of parameter words = 13 |
| UCHAR AndXCommand; | Secondary (X) command; 0xFF = none |
| UCHAR AndXReserved; | Reserved (must be 0) |
| USHORT AndXOffset; | Offset to next command WordCount |
| USHORT MaxBufferSize; | Client's maximum buffer size |
| USHORT MaxMpxCount; | Actual maximum multiplexed pending requests |
| USHORT VcNumber; | 0 = first (only), nonzero=additional VC number |
| ULONG SessionKey; | Session key (valid iff VcNumber != 0) |
| USHORT CaseInsensitivePasswordLength; | Account password size, ANSI |
| USHORT CaseSensitivePasswordLength; | Account password size, Unicode |
| ULONG Reserved; | must be 0 |
| ULONG Capabilities; | Client capabilities |
| USHORT ByteCount; | Count of data bytes; min = 0 |
| UCHAR CaseInsensitivePassword[]; | Account Password, ANSI |
| UCHAR CaseSensitivePassword[]; | Account Password, Unicode |
| STRING AccountName[]; | Account Name, Unicode |
| STRING PrimaryDomain[]; | Client's primary domain, Unicode |
| STRING NativeOS[]; | Client's native operating system, Unicode |
| STRING NativeLanMan[]; | Client's native LAN Manager type, Unicode |
The client expresses its capabilities to the server encoded in the Capabilities field:
| Capability Name ======================== |
Encoding ========= |
Description ================================ |
| CAP_UNICODE | 0x0004 | The client can use UNICODE strings |
| CAP_LARGE_FILES | 0x0008 | The client can deal with files having 64 bit offsets |
| CAP_NT_SMBS | 0x0010 | The client understands the SMBs introduced with the NT LM 0.12 dialect. Implies CAP_NT_FIND. |
| cap_nt_find | 0x0200 | |
| CAP_ STATUS32 | 0x0040 | The client can receive 32 bit errors encoded in Status.Status |
| CAP_LEVEL_II_OPLOCKS | 0x0080 | The client understands Level II oplocks |
The entire message sent and received including the optional ANDX SMB must fit in the negotiated maximum transfer size. The following are the only valid SMB commands for AndXCommand for SMB_COM_SESSION_SETUP_ANDX
SMB_COM_TREE_CONNECT_ANDX |
SMB_COM_OPEN |
SMB_COM_OPEN_ANDX |
SMB_COM_CREATE |
SMB_COM_CREATE_NEW |
SMB_COM_CREATE_DIRECTORY |
SMB_COM_DELETE |
SMB_COM_DELETE_DIRECTORY |
SMB_COM_FIND |
SMB_COM_FIND_UNIQUE |
SMB_COM_COPY |
SMB_COM_RENAME |
SMB_COM_NT_RENAME |
SMB_COM_CHECK_DIRECTORY |
SMB_COM_QUERY_INFORMATION |
SMB_COM_SET_INFORMATION |
SMB_COM_NO_ANDX_COMMAND |
SMB_COM_OPEN_PRINT_FILE |
SMB_COM_GET_PRINT_QUEUE |
SMB_COM_TRANSACTION |
ERRSRV/ERRerror - no NEG_PROT issued
ERRSRV/ERRbadpw - password not correct for given username
ERRSRV/ERRtoomanyuids - maximum number of users per session exceeded
ERRSRV/ERRnosupport - chaining of this request to the previous one is not supported