samba - Apr 2001 - ERROR: out of Policy Handles! in Samba 2.0.7

Hello! I read some discussion about "ERROR: out of Policy 
Handles!" errors in the Samba mailing list, but no practical 
conclusions, or so it seems. I have a network where i get 
those errors each 15 minutes from two Windows NT 4.0 
servers. One is a Terminal Server running Citrix Metaframe 
1.8. The other is a Nt Server 4.0 that only does RAS. What 
can we do about these errors? Are effects can i expect when 
they happen? Details follow, including a tcpdump of a couple 
instances of the error. I hope it is useful to someone. 


Best regards,
Pedro



Server: Jerry (RH 7.0 with samba-2.0.7-21ssl).
It is working as a PDC for NT workstations and also the 
Windows NT Terminal Server machine.

Testparm dump from this server:

-------------
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[printers]"
Processing section "[import]"
Loaded services file OK.
Press enter to see a dump of your service definitions

# Global parameters
[global]
        coding system = 
        client code page = 850
        workgroup = TORSLANDA
        netbios name = 
        netbios aliases = 
        netbios scope = 
        server string = Samba Server for Torslanda
        interfaces = 
        bind interfaces only = No
        security = USER
        encrypt passwords = Yes
        update encrypted = No
        allow trusted domains = Yes
        hosts equiv = 
        min password length = 5
        map to guest = Never
        null passwords = No
        password server = 
        smb passwd file = /etc/samba/smbpasswd
        root directory = /
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %n\n 
*ReType*new*UNIX*password* %n\n 
*passwd:*all*authentication*tokens*updated*successfully*
        passwd chat debug = No
        username map = 
        password level = 0
        username level = 0
        unix password sync = Yes
        restrict anonymous = No
        use rhosts = No
        ssl = No
        ssl hosts = 
        ssl hosts resign = 
        ssl CA certDir = 
        ssl CA certFile = 
        ssl server cert = 
        ssl server key = 
        ssl client cert = 
        ssl client key = 
        ssl require clientcert = No
        ssl require servercert = No
        ssl ciphers = 
        ssl version = ssl2or3
        ssl compatibility = No
        debug level = 2
        syslog = 1
        syslog only = No
        log file = /var/log/samba/%m.log
        max log size = 0
        debug timestamp = Yes
        debug hires timestamp = No
        debug pid = No
        debug uid = No
        protocol = NT1
        read bmpx = No
        read raw = Yes
        write raw = Yes
        nt smb support = Yes
        nt pipe support = Yes
        nt acl support = Yes
        announce version = 4.2
        announce as = NT
        max mux = 50
        max xmit = 65535
        name resolve order = lmhosts host wins bcast
        max ttl = 259200
        max wins ttl = 518400
        min wins ttl = 21600
        time server = No
        change notify timeout = 60
        deadtime = 0
        getwd cache = Yes
        keepalive = 300
        lpq cache time = 10
        max disk size = 0
        max open files = 10000
        read prediction = No
        read size = 16384
        shared mem size = 1048576
        socket options = TCP_NODELAY SO_RCVBUF=8192 
SO_SNDBUF=8192
        stat cache size = 50
        load printers = Yes
        printcap name = /etc/printcap
        printer driver file = /etc/samba/printers.def
        strip dot = No
        character set = 
        mangled stack = 50
        stat cache = Yes
        domain groups = 
        domain admin group = 
        domain guest group = 
        domain admin users = 
        domain guest users = 
        machine password timeout = 604800
        add user script = 
        delete user script = 
        logon script = netlogon.bat
        logon path = \\%L\%U\profile
        logon drive = u:
        logon home = \\%N\%U
        domain logons = Yes
        os level = 20
        lm announce = Auto
        lm interval = 60
        preferred master = Yes
        local master = Yes
        domain master = Yes
        browse list = Yes
        dns proxy = No
        wins proxy = No
        wins server = 
        wins support = No
        wins hook = 
        kernel oplocks = Yes
        ole locking compatibility = Yes
        oplock break wait time = 10
        smbrun = /usr/bin/smbrun
        config file = 
        auto services = 
        lock directory = /var/lock/samba
        default service = 
        message command = 
        dfree command = 
        valid chars = 
        remote announce = 
        remote browse sync = 
        socket address = 0.0.0.0
        homedir map = auto.home
        time offset = 0
        unix realname = No
        NIS homedir = No
        source environment = 
        panic action = 
        comment = 
        path = 
        revalidate = No
        username = 
        guest account = nobody
        invalid users = 
        valid users = 
        admin users = 
        read list = 
        write list = 
        force user = 
        force group = 
        writeable = No
        create mask = 0744
        force create mode = 00
        security mask = -1
        force security mode = -1
        directory mask = 0755
        force directory mode = 00
        directory security mask = -1
        force directory security mode = -1
        inherit permissions = No
        guest only = No
        guest ok = No
        only user = No
        hosts allow = 192.168.1. 1.0.0. 127.
        hosts deny = 
        status = Yes
        max connections = 0
        min print space = 0
        strict sync = No
        sync always = No
        write cache size = 0
        printable = No
        postscript = No
        printing = lprng
        print command = lpr -r -P%p %s
        lpq command = lpq -P%p
        lprm command = lprm -P%p %j
        lppause command = 
        lpresume command = 
        queuepause command = 
        queueresume command = 
        printer = 
        printer driver = NULL
        printer driver location = 
        default case = lower
        case sensitive = No
        preserve case = Yes
        short preserve case = Yes
        mangle case = No
        mangling char = ~
        hide dot files = Yes
        delete veto files = No
        veto files = 
        hide files = 
        veto oplock files = 
        map system = No
        map hidden = No
        map archive = Yes
        mangled names = Yes
        mangled map = 
        browseable = Yes
        blocking locks = Yes
        fake oplocks = No
        locking = Yes
        oplocks = Yes
        level2 oplocks = No
        oplock contention limit = 2
        strict locking = No
        share modes = Yes
        copy = 
        include = 
        preexec = 
        preexec close = No
        postexec = 
        root preexec = 
        root preexec close = No
        root postexec = 
        available = Yes
        volume = 
        fstype = NTFS
        set directory = No
        wide links = Yes
        follow symlinks = Yes
        dont descend = 
        magic script = 
        magic output = 
        delete readonly = No
        dos filetimes = No
        dos filetime resolution = No
        fake directory create times = No

[homes]
        comment = Home Directories
        writeable = Yes
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /home/netlogon
        guest ok = Yes
        share modes = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        guest ok = Yes
        printable = Yes
        browseable = No


[import]
        comment = Import directory
        path = /home/import
        writeable = Yes
        create mask = 0765
        directory mask = 0771
-----


Client #1: Ras (Windows NT 4.0 Server with Service Pack 6a)
The only thing it does is validate users from the local sam. 
It doesn?t map anything from the server, or validate any 
user on it. It is standalone.


Client #2: Terminal Server 4.0 with Citrix Metaframe 1.8. 
Latest services packs on both os and Citrix. It validates 
users on the PDC as a normal Windows NT workstation would.



Tcpdump of two instances of those errors in the ras machine:

----
[2001/04/19 10:53:25, 0]
rpc_server/srv_lsa_hnd.c:open_lsa_policy_hnd(107)
  ERROR: out of Policy Handles!
[2001/04/19 11:08:26, 0]
rpc_server/srv_lsa_hnd.c:open_lsa_policy_hnd(107)
  ERROR: out of Policy Handles!



10:53:25.903487 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 5:100(95) ack 8 win 8532>>> 
NBT (DF)
10:53:25.903694 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 8:115(107) ack 100 win 7300>>> NBT 
(DF)
10:53:25.904541 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 100:252(152) ack 115 win 
8425>>> NBT
(DF)
10:53:25.904696 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 115:243(128) ack 252 win 7300>>> NBT 
(DF)
10:53:25.905482 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 252:392(140) ack 243 win 
8297>>> NBT
(DF)
10:53:25.905628 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 243:455(212) ack 392 win 7300>>> NBT 
(DF)
10:53:25.906333 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 392:438(46) ack 455 win 
8085>>> NBT
(DF)
10:53:25.906422 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 455:494(39) ack 438 win 7300>>> NBT 
(DF)
10:53:25.908146 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST; 
BROADCAST
10:53:25.908333 eth0 > jerry.ftdomain.se.netbios-ns >
ras.ftdomain.se.netbios-ns:NBT UDP PACKET(137): QUERY; 
POSITIVE;
RESPONSE; UNICAST
10:53:25.908890 eth0 < ras.ftdomain.se.netbios-dgm >
jerry.ftdomain.se.netbios-dgm: NBT UDP (138)
10:53:25.909570 eth0 > jerry.ftdomain.se.netbios-dgm >
ras.ftdomain.se.netbios-dgm: NBT UDP (138)
10:53:25.911908 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 438:533(95) ack 494 win 
8046>>> NBT
(DF)
10:53:25.911979 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 494:533(39) ack 533 win 7300>>> NBT 
(DF)
10:53:25.912854 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 533:649(116) ack 533 win 
8007>>> NBT
(DF)
10:53:25.912992 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 533:641(108) ack 649 win 7300>>> NBT 
(DF)
10:53:25.913834 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 649:893(244) ack 641 win 
7899>>> NBT
(DF)
10:53:25.914034 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 641:749(108) ack 893 win 7300>>> NBT 
(DF)
10:53:25.914721 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 893:1017(124) ack 749 win 
7791>>> NBT
(DF)
10:53:25.914823 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 749:857(108) ack 1017 win 7300>>> 
NBT (DF)
10:53:26.105556 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: . 1017:1017(0) ack 857 win 
7683 (DF)
10:53:39.006458 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST; 
BROADCAST
10:53:39.757484 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST; 
BROADCAST
10:53:40.508715 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST; 
BROADCAST
10:53:41.262771 eth0 < ras.ftdomain.se.1356 > 
jerry.ftdomain.se.domain:
24167+ A? JSPNRMPTGSBSSDIR.ftdomain.se. (46)
10:53:41.262991 eth0 > jerry.ftdomain.se.domain > 
ras.ftdomain.se.1356:
24167 NXDomain* 0/1/0 (87)

[CUT]


11:08:26.066099 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1450:1545(95) ack 1351 win 
8713>>> NBT
(DF)
11:08:26.066280 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1351:1458(107) ack 1545 win 7300>>> 
NBT (DF)
11:08:26.067113 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1545:1697(152) ack 1458 win 
8606>>> NBT
(DF)
11:08:26.067260 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1458:1586(128) ack 1697 win 7300>>> 
NBT (DF)
11:08:26.067991 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1697:1837(140) ack 1586 win 
8478>>> NBT
(DF)
11:08:26.068132 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1586:1798(212) ack 1837 win 7300>>> 
NBT (DF)
11:08:26.068830 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1837:1883(46) ack 1798 win 
8266>>> NBT
(DF)
11:08:26.068917 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1798:1837(39) ack 1883 win 7300>>> 
NBT (DF)
11:08:26.070644 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST; 
BROADCAST
11:08:26.070805 eth0 > jerry.ftdomain.se.netbios-ns >
ras.ftdomain.se.netbios-ns:NBT UDP PACKET(137): QUERY; 
POSITIVE;
RESPONSE; UNICAST
11:08:26.071356 eth0 < ras.ftdomain.se.netbios-dgm >
jerry.ftdomain.se.netbios-dgm: NBT UDP (138)
11:08:26.071561 eth0 > jerry.ftdomain.se.netbios-dgm >
ras.ftdomain.se.netbios-dgm: NBT UDP (138)
11:08:26.076388 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1883:1978(95) ack 1837 win 
8227>>> NBT
(DF)
11:08:26.076459 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1837:1876(39) ack 1978 win 7300>>> 
NBT (DF)
11:08:26.077339 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1978:2094(116) ack 1876 win 
8188>>> NBT
(DF)
11:08:26.077468 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1876:1984(108) ack 2094 win 7300>>> 
NBT (DF)
11:08:26.078333 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 2094:2338(244) ack 1984 win 
8080>>> NBT
(DF)
11:08:26.078531 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1984:2092(108) ack 2338 win 7300>>> 
NBT (DF)
11:08:26.079217 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 2338:2462(124) ack 2092 win 
7972>>> NBT
(DF)
11:08:26.079319 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 2092:2200(108) ack 2462 win 7300>>> 
NBT (DF)



---------

On Sat, 21 Apr 2001, Pedro Rodrigues wrote:
> 
> 
>   Hello! I read some discussion about "ERROR: out of Policy 
> Handles!" errors in the Samba mailing list, but no practical 
> conclusions, or so it seems. I have a network where i get 
> those errors each 15 minutes from two Windows NT 4.0 
> servers. One is a Terminal Server running Citrix Metaframe 
> 1.8. The other is a Nt Server 4.0 that only does RAS. What 
> can we do about these errors? Are effects can i expect when 
> they happen? Details follow, including a tcpdump of a couple 
> instances of the error. I hope it is useful to someone. 
There is a MAX_POLICY_HANDLES defines in srv_lsarpc.c IIRC.
Change this define to a higher value.  2048 is what NT uses I think.
I think we have a leak in 2.0.7.  Have you tried 2.2.0?  (or maybe wait
for 2.2.1)





Cheers, jerry
----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter@valinux.com
       http://www.samba.org/       SAMBA Team          jerry@samba.org
       http://www.plainjoe.org/                     jerry@plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

Hello! Indeed i never observed the problem with earlier 
Samba versions. I am studying Samba 2.2.0 and will test it 
this week when i have time. But i believe i will wait for 
2.2.1 in the end. My question is if these errors can affect 
people on the Terminal Server 4.0 machine in a visible way.


Regards,

Pedro
> On Sat, 21 Apr 2001, Pedro Rodrigues wrote:
> 
> > 
> > 
> >   Hello! I read some discussion about "ERROR: out of 
Policy 
> > Handles!" errors in the Samba mailing list, but no 
practical 
> > conclusions, or so it seems. I have a network where i 
get 
> > those errors each 15 minutes from two Windows NT 4.0 
> > servers. One is a Terminal Server running Citrix 
Metaframe 
> > 1.8. The other is a Nt Server 4.0 that only does RAS. 
What 
> > can we do about these errors? Are effects can i expect 
when 
> > they happen? Details follow, including a tcpdump of a 
couple 
> > instances of the error. I hope it is useful to someone. 
> 
> There is a MAX_POLICY_HANDLES defines in srv_lsarpc.c 
IIRC.
> Change this define to a higher value.  2048 is what NT 
uses I think.
> I think we have a leak in 2.0.7.  Have you tried 2.2.0?  
(or maybe wait
> for 2.2.1)
> 
> 
> 
> 
> 
> Cheers, jerry
> 
------------------------------------------------------------
----------
>    /\  Gerald (Jerry) Carter                     
Professional Services
>  \/    http://www.valinux.com/  VA Linux Systems   
gcarter@valinux.com
>        http://www.samba.org/       SAMBA Team          
jerry@samba.org
>        http://www.plainjoe.org/                     
jerry@plainjoe.org
> 
>        "...a hundred billion castaways looking for a 
home."
>                                 - Sting "Message in a 
Bottle" ( 1979 )
> 
>

On Sun, 22 Apr 2001 07:06:03 Pedro Rodrigues wrote:
> 
>    Hello! Indeed i never observed the problem with earlier 
> Samba versions. I am studying Samba 2.2.0 and will test it 
> this week when i have time. But i believe i will wait for 
> 2.2.1 in the end. My question is if these errors can affect 
> people on the Terminal Server 4.0 machine in a visible way.
Yes. Although I cannot think of a good example right now.
Are you running each TSE connection on a separate smbd?






Cheers, jerry
----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter@valinux.com
       http://www.samba.org/       SAMBA Team          jerry@samba.org
       http://www.plainjoe.org/                     jerry@plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

Yes, i did apply the registry change to make each TSE 
connection go in a different smbd. And it worked. I am 
checking with users now to see if they noticed something. 
These guys with unix workstations (with Citrix clients) 
tend to look at that window with MS Office on it, and if 
something happens they think its normal. :)


Pedro

> 
> On Sun, 22 Apr 2001 07:06:03 Pedro Rodrigues wrote:
> > 
> >    Hello! Indeed i never observed the problem with 
earlier 
> > Samba versions. I am studying Samba 2.2.0 and will test 
it 
> > this week when i have time. But i believe i will wait 
for 
> > 2.2.1 in the end. My question is if these errors can 
affect 
> > people on the Terminal Server 4.0 machine in a visible 
way.
> 
> Yes. Although I cannot think of a good example right now.
> Are you running each TSE connection on a separate smbd?
> 
> 
> 
> 
> 
> 
> Cheers, jerry
> ----------------------------------------------------------
------------
>    /\  Gerald (Jerry) Carter                     
Professional Services
>  \/    http://www.valinux.com/  VA Linux Systems   
gcarter@valinux.com
>        http://www.samba.org/       SAMBA Team          
jerry@samba.org
>        http://www.plainjoe.org/                     
jerry@plainjoe.org
> 
>        "...a hundred billion castaways looking for a 
home."
>                                 - Sting "Message in a 
Bottle" ( 1979 )
> 
>