In order to access a file on a server, a client has to:
This process may be repeated as many times as desired. Once the connection has been idle for a while, it may be torn down. 2.1 Server Name DeterminationHow the client determines the name of the server and the relative name within the server is outside of the scope of this document. However, just for expository purposes, here are three examples. In the URL "file://fs.megacorp.com/users/fred/stuff.txt", the client could take the part between the leading double slashes and the next slash as the server name and the remainder as the relative name in this example "fs.megacorp.com" and "/users/fred/stuff.txt", respectively. In the path name "\\corpserver\public\policy.doc" the client could take the part between the leading double backslashes and the next slash as the server name, and the remainder as the relative name in this example, "corpserver" and "\public\policy.doc" respectively. In the path name "x:\policy.doc" the client could use "x" as an index into a table that contains a server name and a file name prefix. If the contents of such a table for "x" were "corpserver" and "\public", then the server name and relative name would be the same as in the previous example. 2.2 Server Name ResolutionLike server name determination, how the client resolves the name to the transport address of the server is outside the scope of this document. All that is required by CIFS is that a CIFS client MUST have some means to resolve the name of a CIFS server to a transport address, and that a CIFS server MUST register its name with a name resolution service known its clients . Some examples of name resolution mechanisms include: using the Domain Name System (DNS) [1,2], and using NETBIOS name resolution (see RFC 1001 and RFC 1002 [3,4]). The server name might also be specified as the string form of an IPv4 address in the usual dotted decimal notation, e.g., "157.33.135.101"; in this case, "resolution" consists of converting to the 32 bit IPv4 address. Which method is used is configuration dependent; the default SHOULD be DNS to encourage interoperability over the Internet. Note: The name resolution mechanism used may place constraints on the form of the server name; for example, in the case of NETBIOS, the server name must be 15 characters or less, and MUST be upper case. 2.3 Sample Message FlowThe following illustrates a typical message exchange sequence for a client connecting to a user level server, opening a file, reading its data, closing the file, and disconnecting from the server. Note: using the CIFS request batching mechanism (called the "AndX" mechanism), the second to sixth messages in this sequence can be combined into one, so that there are really only three round trips in the sequence. The last trip can be handled asynchronously by the client.
2.4 CIFS Protocol Dialect NegotiationThe first message sent from a CIFS client to a CIFS server must be one whose Command field is SMB_COM_NEGOTIATE. The format of this client request includes an array of NULL terminated strings indicating the dialects of the CIFS protocol which the client supports. The server compares this list against the list of dialects the server supports and returns the index of the chosen dialect in the response message. 2.5 Message TransportCIFS is transport independent. The CIFS protocol assumes:
It can run over any transport that meets these requirements. Some transports do not natively meet all the requirements, and a standard encapsulation of CIFS for that transport may need to be defined. Appendix A defines how to run CIFS over NETBIOS over TCP; Appendix B defines how to run CIFS over TCP. 2.5.1 Connection ManagementOnce a connection is established, the rules for reliable transport connection dissolution are:
2.6 Opportunistic LocksThe CIFS protocol includes a mechanism called "opportunistic locks", or oplocks, that allows the client to lock a file in such a manner that the server can revoke the lock. The purpose of oplocks is to allow file data caching on the client to occur safely. It does this by defining the conditions under which an oplock is revoked . When a client opens a file it may request an oplock on the file. If the oplock is given the client may safely perform caching. At some point in the future a second client may open the file. The following steps provide an overview of the actions taken in response to the open from the second client:
As can be seen from the above steps, the first client has the opportunity to write back data and acquire record locks before the second client is allowed to examine the file. Because of this a client that holds an oplock can aggressively cache file data and state. Anecdotal evidence suggests that oplocks provide a performance boost in many real-world applications running on existing CIFS client implementations while preserving data integrity. 2.6.1 Oplock TypesThere are three types of oplocks:
Versions of the CIFS file sharing protocol including and newer than the "LANMAN1.0" dialect support oplocks. Level II oplocks were introduced in NTLM 0.12. 2.6.1.1 Exclusive and Batch OplocksWhen a client has an exclusive oplock on a file, it is the only client to have the file open. The exclusive oplock allows the client to safely perform file data read and write caching, metadata caching, and record lock caching. All other operations on the file cannot be safely cached. The server may revoke the exclusive oplock at any time. The client is guaranteed that the server will revoke the exclusive oplock prior to another client successfully opening the file. This gives the client that holds the oplock the opportunity to write back cached information to the file. The batch oplock was introduced to allow a client to defer closing a file that was opened and reopened repetitively by an application. It has the same semantics as the exclusive oplock with the following additional guarantee. The client holding a batch oplock has the additional guarantee that the server will revoke the batch oplock prior to another client successfully making any change to the file. When a client opens a file it can specify that it wants an exclusive oplock, a batch oplock, or no oplock. Exclusive and batch oplocks can only be obtained as a side effect of a file being opened. The protocol does not support other means to obtain exclusive and batch oplocks. Oplocks can only be obtained on files. Oplocks are not supported on directories and named pipes. However it is not an error to request an oplock on directories and named pipes. In this case the server must return that no oplock was granted. The server response to a successful open request includes information about what type of oplock was obtained. A server that does not support oplocks should always return that no oplock was granted. A client that requests an exclusive oplock will get one of the following:
A client that requests a batch oplock will get one of the following:
A client that requests no oplock will always get no oplock. The following diagrams the behavior of various clients and the server when an exclusive oplock is obtained on a file and subsequently revoked. The diagram also applies to a batch oplock.
The revoking of an exclusive or batch oplock involves the server sending an oplock break message to the client, followed by the client flushing file information to the server, followed by the client releasing the oplock. If the client does not respond by releasing the oplock within a period of time acceptable to the server, then the server may consider the oplock released and allow pending operations to proceed. The protocol does not define the duration of the time out period. When a client opens a file that already has an exclusive oplock, the server first checks the share mode on the file. If the sharing allows the client open to succeed then the exclusive oplock is broken, after which the open is allowed to proceed. When a client opens a file that already has a batch oplock, the server first revokes the batch oplock. Then the open is allowed to proceed. The reason for this server behavior is that it gives the holder of the oplock the opportunity to close the file. This in turn allows the open to obtain an exclusive or batch oplock. When a client opens a file that has a security descriptor, the server first checks if the open for the desired access is allowed by the security descriptor. If access is not allowed, the open fails. Any exclusive or batch oplock on the file is not disturbed. Because of this behavior a client holding an exclusive or batch oplock cannot safely cache security descriptor information 2.6.1.2 Level II OplocksWhen a client has a level II oplock on a file, it is an indication to the client that other clients may also have the file open. The level II oplock allows the client to safely perform file data read caching. All other operations on the file cannot be safely cached. The server may revoke the level II oplock at any time. The client is guaranteed that the server will revoke the level II oplock prior to another client successfully writing the file. This gives the client that holds the level II oplock the opportunity to discard its cached data. Note however that the level II oplock is revoked differently than an exclusive or batch oplock. A level II oplock break is sent to the client, but a response from the client is not expected. The server allows the write to proceed immediately after the level II oplock break is sent to the client. A client cannot explicitly request that a level II oplock be granted. A level II oplock is granted either when a file is opened or when a server revokes an exclusive or batch oplock. When a file is opened the client may request an exclusive or batch oplock. The server has the option of granting a level II oplock instead of the requested type of oplock. This is the only way to obtain a level II oplock when a file is opened. When a server revokes an exclusive or batch oplock, it may indicate to the client that in conjunction with the revocation that the client is being granted a level II oplock. The following diagrams the behavior of various clients and the server when a level II oplock is obtained on a file and subsequently revoked.
2.6.2 Comparison with Other File Locking MethodsThe CIFS protocol has three mechanisms to enable a client to control how other clients access a file.
Of the three, the server may revoke only opportunistic locks. Byte range and sharing locks are held for as long as the client desires. Historically on client systems, byte range and sharing locks are exposed to the application. This allows the application to have explicit control over the obtaining and releasing of these types of locks. Typically however oplocks are not exposed to the application. They are implemented inside the client operating system. The client operating system decides when it is appropriate to obtain and release oplocks. It also handles all of the issues related to revoking of oplocks by the server. 2.6.3 Oplock SMBsThis section summarizes the SMB commands that affect oplocks. 2.6.3.1 Obtaining an OplockThe following SMB commands may be used to obtain an oplock:
The server may only grant a level II oplock to a client for a file when that file is opened using one of "SMB_COM_NT_CREATE_ANDX" or "SMB_COM_NT_TRANSACT (NT_CREATE)". 2.6.3.2 Releasing an OplockA client releases an oplock with the SMB_COM_LOCKING_ANDX command. Alternatively the client may release the oplock by closing the file with the SMB_COM_CLOSE command. Any operation that would invalidate the file handle results in the oplock being released. This includes disconnecting the tree, logging off the user that opened the file, and any action that would disconnect the session. A client should release its exclusive or batch oplock on a file in response to the server revoking the oplock. Failure to do so is a violation of the protocol. A client does not need to release a level II oplock (i.e. respond to the server) on a file in response to the server revoking the oplock. However doing so is not an error. 2.6.3.3 Revoking an OplockThe server revokes a client's oplock by sending a SMB_COM_LOCKING_ANDX command to the client. The command is sent asynchronously sent from the server to the client. This message has the LOCKING_ANDX_OPLOCK_RELEASE flag set indicating to the client that the oplock is being broken. OplockLevel indicates the type of oplock the client now owns. If OplockLevel is 0, the client possesses no oplocks on the file at all. If OplockLevel is 1, the client possesses a Level II oplock. The client is expected to flush any dirty buffers to the server, submit any file locks, and respond to the server with either an SMB_LOCKING_ANDX SMB having the LOCKING_ANDX_OPLOCK_RELEASE flag set, or with a file close if the file is no longer in use by the client. 2.6.4 Other IssuesSince a close being sent to the server and break oplock notification from the server could cross on the wire, if the client gets an oplock notification on a file that it does not have open, that notification should be ignored. The client is guaranteed that an oplock break notification will not be issued before the server has sent the response to the file open. Due to timing, the client could get an "oplock broken" notification in a user's data buffer as a result of this notification crossing on the wire with an SMB_COM_READ_RAW request. The client must detect this (use length of message, "FFSMB," MID of -1 and Command of SMB_COM_LOCKING_ANDX) and honor the "oplock broken" notification as usual. The server must also note on receipt of an SMB_COM_READ_RAW request that there is an outstanding (unanswered) "oplock broken" notification to the client; it must then return a zero length response denoting failure of the read raw request. The client should (after responding to the "oplock broken" notification) use a non-raw read request to redo the read. This allows a file to actually contain data matching an "oplock broken" notification and still be read correctly. When an exclusive or batch oplock is being revoked, more than one client open request may be paused until the oplock is released. Once the oplock is released, the order that the paused open requests are processed is not defined. The protocol allows a client to obtain an oplock and then issue an operation that causes the oplock to be revoked. An example of this is a client obtaining an exclusive oplock on a file and then opening the file a second time. The protocol allows a client to have a file open multiple times, and each open could have a level II oplock associated with it. A server may choose not to support this situation by simply not handing out more than one level II oplock for a particular file to a particular client. The protocol allows a server to grant on a single file a level II oplock for some opens and no oplock for other opens. A server may have heuristics that indicate some file opens would not benefit from a level II oplock. A server that supports access to files via mechanisms other than this protocol must revoke oplocks as necessary to preserve the semantics expected by the clients owning the oplocks. A client that has an exclusive or batch oplock on a file may cache file metadata. This includes the following information: create time, modify time, access time, change time, file size, file attributes, and extended attributes size. However a server is not required to break an oplock when a second client examines file metadata. Clients should be aware of this behavior when examining file metadata without having the file open. When a server revokes an exclusive or batch oplock it may grant a level II oplock in its place. The client should consider the level II oplock in effect after the client has released the exclusive or batch oplock. The server may decide to revoke the level II oplock before the client has released the exclusive or batch oplock. In this situation the client should behave as if the revoke of the level II oplock arrived just after the exclusive or batch oplock was released. 2.7 Security ModelEach server makes a set of resources available to clients on the network. A resource being shared may be a directory tree, printer, etc. So far as clients are concerned , the server has no storage or service dependencies on any other servers; a client considers the server to be the sole provider of the file (or other resource) being accessed. The CIFS protocol requires server authentication of users before file accesses are allowed, and each server authenticates its own users. A client system must send authentication information to the server before the server will allow access to its resources. A server requires the client to provide a user name and some proof of identity (often something cryptographically derived from a password) to gain access. The granularity of authorization is up to the server. For example, it may use the account name to check access control lists on individual files, or may have one access control list that applies to all files in the directory tree. When a server validates the account name and password presented by the client, an identifier representing that authenticated instance of the user is returned to the client in the Uid field of the response SMB. This Uid must be included in all further requests made on behalf of the user from that client. 2.8 AuthenticationThis section defines the CIFS user and message authentication protocols. User authentication allows the server to verify that the client knows a password for a user. Message authentication allows messages in a session to be verified by both the server and the client. 2.8.1 OverviewUser authentication is based on the shared knowledge of the user's password. There are two styles of user authentication. The first involves the client sending passwords in plain text to the server. The second involves a challenge/response protocol. Plain text password authentication exposes the user's password to programs that have access to the CIFS protocol data on the network. For this reason plain text password authentication is discouraged and by default should be disabled in CIFS protocol implementations. With the challenge/response protocol the server sends a "challenge" to the client, which the client responds to in a way that proves it knows the user's password. A "response" is created from the challenge by encrypting it with a 168 bit "session key" computed from the user's password. The response is then returned to the server, which can validate the response by performing the same computation. The user authentication protocol is described as if the CIFS server keeps a client's password. However an implementation might actually store the passwords on a key distribution server and have servers use a protocol outside the scope of this document to enable them to perform the steps required by this protocol. Messages may be authenticated by computing a message authentication code (MAC) for each message and attaching it to the message. The MAC used is a keyed MD5 construction similar to that used in IPSec [RFC 1828], using a "MAC key" computed from the session key, and the response to the server's challenge. The MAC is over both the message text and an implicit sequence number, to prevent replay attacks. 2.8.2 Base AlgorithmsFollowing are definitions of algorithms used by the authentication algorithms. E(K, D)
Ex(K,D)
concat(A, B, ..., Z)
head(S, N)
swab(S)
zeros(N)
ones(N)
xor(A, B)
and(A, B)
substr(S, A, B)
2.8.3 Authentication AlgorithmsFollowing are definitions of the authentication algorithms. 2.8.3.1 NT Session KeyThe session key S21 and partial MAC key S16 are computed as
where
2.8.3.2 LM Session KeyThe session key S21 and partial MAC key S16 are computed as
Where
2.8.3.3 ResponseThe response to the challenge RN is computed as
Where
2.8.3.4 MAC keyThe MAC key is computed as follows :
Where
2.8.3.5 Message Authentication CodeThe MAC is the keyed MD5 construction:
Where
2.8.4 Session Authentication Protocol2.8.4.1 Plain Text PasswordIf plaintext password authentication was negotiated, clients send the plaintext password in SMB_COM_TREE_CONNECT , SMB_COM_TREE_CONNECT_ANDX , and/or SMB_COM_SESSION_SETUP_ANDX . The SMB field used to contain the response depends upon the request:
2.8.4.2 Challenge/ResponseThe challenge C8 from the server to the client is contained in the EncryptionKey field in the SMB_COM_NEGPROT response. Clients send the response to the challenge in SMB_COM_TREE_CONNECT , SMB_COM_TREE_CONNECT_ANDX , and/or SMB_COM_SESSION_SETUP_ANDX . The SMB field used to contain the response depends upon the request:
The challenge/response authentication protocol has the following steps:
2.8.5 Message authentication codeOnce a user logon has been authenticated, each message can be authenticated as well. This will prevent man in the middle attacks, replay attacks, and active message modification attacks. To use message authentication, the client sets SMB_FLAGS2_SMB_SECURITY_SIGNATURE in SMB_COM_SESSION_SETUP_ANDX request to the server, and includes a MAC. If the resulting logon is non-null and non-guest, then the SMB_COM_SESSION_SETUP_ANDX response and all subsequent SMB requests and responses must include a MAC. The first non-null, non-guest logon determines the key to be used for the MAC for all subsequent sessions. Message authentication may only be requested when the "NTLM 0.12" dialect has been negotiated. If message authentication is used, raw mode MUST not be used (because some raw mode messages have no headers in which to carry the MAC). Let
The SN is logically contained in each message and participates in the computation of the MAC. For each message sent in the session, the following procedure is followed:
In each message that contains a MAC, the following bit is set in the flags2 field: #define SMB_FLAGS2_SMB_SECURITY_SIGNATURES 0x0004 The sender of a message inserts the sequence number SSN into the message by putting it into the first 4 bytes of the SecuritySignature field and zeroing the last 4 bytes, computes the MAC over the entire message, then puts the MAC in the field. The receiver of a message validates the MAC by extracting the value of the SecuritySignature field, putting its ESN into the first 4 bytes of the SecuritySignature field and zeroing the last 4 bytes, computing the MAC, and comparing it to the extracted value. Oplock break messages from the server to the client may not use message authentication, even if it has been negotiated. 2.8.6 Security LevelThe SMB_COM_NEGPROT response from a server has the following bits in its SecurityMode field: #define NEGOTIATE_SECURITY_USER_LEVEL 0x01 #define NEGOTIATE_SECURITY_CHALLENGE_RESPONSE 0x02 #define NEGOTIATE_SECURITY_SIGNATURES_ENABLED 0x04 #define NEGOTIATE_SECURITY_SIGNATURES_REQUIRED 0x08 If NEGOTIATE_SECURITY_USER_LEVEL is set, then "user level" security is in effect for all the shares on the server. This means that the client must establish a logon (with SMB_COM_SESSION_SETUP_ANDX) to authenticate the user before connecting to a share, and the password to use in the authentication protocol described above is the user's password. If NEGOTIATE_SECURITY_USER_LEVEL is clear, then "share level" security is in effect for all the shares in the server. In this case the authentication protocol is a password for the share. If NEGOTIATE_SECURITY_CHALLENGE_RESPONSE is clear, then the server is requesting plaintext passwords. If NEGOTIATE_SECURITY_CHALLENGE_RESPONSE is set, then the server supports the challenge/response session authentication protocol described above, and clients should use it. Servers may refuse connections that do not use it. If the dialect is earlier than "NTLM 0.12" then the client computes the response using the "LM session key". If the dialect is "NTLM 0.12" then the client may compute the response either using the "LM session key", or the "NT session key", or both. The server may choose to refuse responses computed using the "LM session key". If NEGOTIATE_SECURITY_SIGNATURES_ENABLED is set, then the server supports the message authentication protocol described above, and the client may use it. This bit may only be set if NEGOTIATE_SECURITY_CHALLENGE_RESPONSE is set. If NEGOTIATE_SECURITY_SIGNATURES_REQUIRED is set, then the server requires the use of the message authentication protocol described above, and the client must use it. This bit may only be set if NEGOTIATE_SECURITY_SIGNATURES_ENABLED is set. This bit must not be set if NEGOTIATE_SECURITY_USER_LEVEL is clear (i.e., for servers using "share level" security). 2.9 Distributed File System (DFS) SupportProtocol dialects of NT LM 0.12 and later support distributed filesystem operations. The distributed filesystem gives a way for this protocol to use a single consistent file naming scheme which may span a collection of different servers and shares. The distributed filesystem model employed is a referral - based model. This protocol specifies the manner in which clients receive referrals. The client can set a flag in the request SMB header indicating that the client wants the server to resolve this SMB's paths within the DFS known to the server. The server attempts to resolve the requested name to a file contained within the local directory tree indicated by the TID of the request and proceeds normally. If the request pathname resolves to a file on a different system, the server returns the following error:
|