Greetings,
I have recently come into contact with several Windows XP SP2 machines
that are generating between 10,000 and 20,000 pps each. They are
sending multiple requests for RpcSeekPrinter ( dcerpc opnum 53 ). Also
worth noting is the structure of the packet, it is padded with zeros and
consumes much bandwidth during the flood. Since the clients are
spending most of their time flooding the samba spooler, they report
extremely slow file sharing and laggy application performance.
This seems to be related to the Microsoft KB 329234 or possibly 811896.
I have read similar posts about this topic. They usually have to do
with slow printing. In our environment, we were alerted due to the
abnormally high network congestion and client cpu utilization caused by
this. The hotfix provided by Microsoft in 329234 is not appropriate for
our version of Windows. Our spooler DLLS are much newer than the patch.
Additionally, we tend to see the syslog message below when the client
spoolers are misbehaving. I interpreted the message as resource
exhaustion caused by the flooding clients. Is this correct?
Jan 8 08:19:44 smbd[3182]: [2007/01/08 08:19:44, 0]
libsmb/cliconnect.c:attempt_netbios_session_request(1558)
Jan 8 08:19:44 smbd[3182]: attempt_netbios_session_request: XP41413
rejected the session for name *SMBSERVER with error SUCCESS - 0
Jan 8 08:19:44 smbd[3182]: [2007/01/08 08:19:44, 0]
rpc_server/srv_spoolss_nt.c:spoolss_connect_to_client(2590)
Jan 8 08:19:44 smbd[3182]: spoolss_connect_to_client: machine XP41413
rejected the NetBIOS session request.
Also, I found a registry edit on this list that might solve the
problem. Could someone elaborate on this?
I tried the registry edit on one host that was flooding the samba print
server. Her machine stopped asking for opnum 53 and
began flooding ( much slowly though ) for opnum 08.
1. Edit the registry observing usual caution.
2. Locate the key HKEY_CURRENT_USER\Printers\DevModePerUser
3. Remove all VALUES for Network printers of the form:
\<print_server_name ><printer_queue_name>
4. Locate the key HKEY_CURRENT_USER\Printers\DevModes2
5. Remove all VALUES for Network printers of the form:
\<print_server_name><printer_queue_name>
Upon request, I can provide network traces for these events.
Thanks,
Lou Goddard
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.