3.3.5.6 Receiving an SMB_COM_OPEN_ANDX Request

The processing of an SMB_COM_OPEN_ANDX request is handled as specified in [MS-CIFS] section 3.3.5.35 with the following additions:

If during the open processing the underlying object store returns STATUS_ACCESS_DENIED as specified in [MS-FSA] section 2.1.5.1.2, Server Requests an Open of an Existing File, the server MUST fail the request with STATUS_ACCESS_DENIED and MUST increase ServerStatistics.sts0_permerrors by 1.

If the underlying object store determines that encryption processing is required as specified in [MS-FSA] section 2.1.5.1.2 Open of an Existing File, the object store MUST return STATUS_CS_ENCRYPTION_EXISTING_ENCRYPTED_FILE, indicating that a UserCertificate is necessary to successfully complete the operation. In this case, the server SHOULD attempt to obtain a user certificate by invoking the Application Requests for a User-Certificate Binding as specified in [MS-EFSR] section 3.1.4.1, passing the Server.Session.SecurityContext as the security context of the user. If the enrollment fails, the server MUST fail the request with the resulting error. Otherwise, the server SHOULD repeat the handling as specified in [MS-CIFS] section 3.3.5.35, extended <123> to additionally pass the returned certificate to the object store as the UserCertificate argument.

On a successful open, if the SMB_OPEN_EXTENDED_RESPONSE flag was set in the Flags field of the request, then the server SHOULD send an extended response, as specified in section 2.2.4.1.2.

If the server chooses to send the new response, then it MUST construct a response as detailed in section 2.2.4.1.2. The server MUST query the underlying object store for the granted access rights on the returned Server.Open. The server MUST use the granted access rights and SHOULD<124> set the MaximalAccessRights and GuestMaximalAccessRights fields in an implementation-specific manner. If the file has no security applied, MaximalAccessRights MUST be set to 0xFFFFFFFF. If no access is granted for the client on this share, the server MUST fail the request with STATUS_ACCESS_DENIED and MUST increase ServerStatistics.sts0_permerrors by 1.