Hello! I read some discussion about "ERROR: out of Policy
Handles!" errors in the Samba mailing list, but no practical
conclusions, or so it seems. I have a network where i get
those errors each 15 minutes from two Windows NT 4.0
servers. One is a Terminal Server running Citrix Metaframe
1.8. The other is a Nt Server 4.0 that only does RAS. What
can we do about these errors? Are effects can i expect when
they happen? Details follow, including a tcpdump of a couple
instances of the error. I hope it is useful to someone.
Best regards,
Pedro
Server: Jerry (RH 7.0 with samba-2.0.7-21ssl).
It is working as a PDC for NT workstations and also the
Windows NT Terminal Server machine.
Testparm dump from this server:
-------------
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[printers]"
Processing section "[import]"
Loaded services file OK.
Press enter to see a dump of your service definitions
# Global parameters
[global]
coding system =
client code page = 850
workgroup = TORSLANDA
netbios name =
netbios aliases =
netbios scope =
server string = Samba Server for Torslanda
interfaces =
bind interfaces only = No
security = USER
encrypt passwords = Yes
update encrypted = No
allow trusted domains = Yes
hosts equiv =
min password length = 5
map to guest = Never
null passwords = No
password server =
smb passwd file = /etc/samba/smbpasswd
root directory = /
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
passwd chat debug = No
username map =
password level = 0
username level = 0
unix password sync = Yes
restrict anonymous = No
use rhosts = No
ssl = No
ssl hosts =
ssl hosts resign =
ssl CA certDir =
ssl CA certFile =
ssl server cert =
ssl server key =
ssl client cert =
ssl client key =
ssl require clientcert = No
ssl require servercert = No
ssl ciphers =
ssl version = ssl2or3
ssl compatibility = No
debug level = 2
syslog = 1
syslog only = No
log file = /var/log/samba/%m.log
max log size = 0
debug timestamp = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
protocol = NT1
read bmpx = No
read raw = Yes
write raw = Yes
nt smb support = Yes
nt pipe support = Yes
nt acl support = Yes
announce version = 4.2
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = lmhosts host wins bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
change notify timeout = 60
deadtime = 0
getwd cache = Yes
keepalive = 300
lpq cache time = 10
max disk size = 0
max open files = 10000
read prediction = No
read size = 16384
shared mem size = 1048576
socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
stat cache size = 50
load printers = Yes
printcap name = /etc/printcap
printer driver file = /etc/samba/printers.def
strip dot = No
character set =
mangled stack = 50
stat cache = Yes
domain groups =
domain admin group =
domain guest group =
domain admin users =
domain guest users =
machine password timeout = 604800
add user script =
delete user script =
logon script = netlogon.bat
logon path = \\%L\%U\profile
logon drive = u:
logon home = \\%N\%U
domain logons = Yes
os level = 20
lm announce = Auto
lm interval = 60
preferred master = Yes
local master = Yes
domain master = Yes
browse list = Yes
dns proxy = No
wins proxy = No
wins server =
wins support = No
wins hook =
kernel oplocks = Yes
ole locking compatibility = Yes
oplock break wait time = 10
smbrun = /usr/bin/smbrun
config file =
auto services =
lock directory = /var/lock/samba
default service =
message command =
dfree command =
valid chars =
remote announce =
remote browse sync =
socket address = 0.0.0.0
homedir map = auto.home
time offset = 0
unix realname = No
NIS homedir = No
source environment =
panic action =
comment =
path =
revalidate = No
username =
guest account = nobody
invalid users =
valid users =
admin users =
read list =
write list =
force user =
force group =
writeable = No
create mask = 0744
force create mode = 00
security mask = -1
force security mode = -1
directory mask = 0755
force directory mode = 00
directory security mask = -1
force directory security mode = -1
inherit permissions = No
guest only = No
guest ok = No
only user = No
hosts allow = 192.168.1. 1.0.0. 127.
hosts deny =
status = Yes
max connections = 0
min print space = 0
strict sync = No
sync always = No
write cache size = 0
printable = No
postscript = No
printing = lprng
print command = lpr -r -P%p %s
lpq command = lpq -P%p
lprm command = lprm -P%p %j
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer =
printer driver = NULL
printer driver location =
default case = lower
case sensitive = No
preserve case = Yes
short preserve case = Yes
mangle case = No
mangling char = ~
hide dot files = Yes
delete veto files = No
veto files =
hide files =
veto oplock files =
map system = No
map hidden = No
map archive = Yes
mangled names = Yes
mangled map =
browseable = Yes
blocking locks = Yes
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = No
oplock contention limit = 2
strict locking = No
share modes = Yes
copy =
include =
preexec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
[homes]
comment = Home Directories
writeable = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = Yes
share modes = No
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[import]
comment = Import directory
path = /home/import
writeable = Yes
create mask = 0765
directory mask = 0771
-----
Client #1: Ras (Windows NT 4.0 Server with Service Pack 6a)
The only thing it does is validate users from the local sam.
It doesn?t map anything from the server, or validate any
user on it. It is standalone.
Client #2: Terminal Server 4.0 with Citrix Metaframe 1.8.
Latest services packs on both os and Citrix. It validates
users on the PDC as a normal Windows NT workstation would.
Tcpdump of two instances of those errors in the ras machine:
----
[2001/04/19 10:53:25, 0]
rpc_server/srv_lsa_hnd.c:open_lsa_policy_hnd(107)
ERROR: out of Policy Handles!
[2001/04/19 11:08:26, 0]
rpc_server/srv_lsa_hnd.c:open_lsa_policy_hnd(107)
ERROR: out of Policy Handles!
10:53:25.903487 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 5:100(95) ack 8 win 8532>>>
NBT (DF)
10:53:25.903694 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 8:115(107) ack 100 win 7300>>> NBT
(DF)
10:53:25.904541 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 100:252(152) ack 115 win
8425>>> NBT
(DF)
10:53:25.904696 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 115:243(128) ack 252 win 7300>>> NBT
(DF)
10:53:25.905482 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 252:392(140) ack 243 win
8297>>> NBT
(DF)
10:53:25.905628 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 243:455(212) ack 392 win 7300>>> NBT
(DF)
10:53:25.906333 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 392:438(46) ack 455 win
8085>>> NBT
(DF)
10:53:25.906422 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 455:494(39) ack 438 win 7300>>> NBT
(DF)
10:53:25.908146 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST;
BROADCAST
10:53:25.908333 eth0 > jerry.ftdomain.se.netbios-ns >
ras.ftdomain.se.netbios-ns:NBT UDP PACKET(137): QUERY;
POSITIVE;
RESPONSE; UNICAST
10:53:25.908890 eth0 < ras.ftdomain.se.netbios-dgm >
jerry.ftdomain.se.netbios-dgm: NBT UDP (138)
10:53:25.909570 eth0 > jerry.ftdomain.se.netbios-dgm >
ras.ftdomain.se.netbios-dgm: NBT UDP (138)
10:53:25.911908 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 438:533(95) ack 494 win
8046>>> NBT
(DF)
10:53:25.911979 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 494:533(39) ack 533 win 7300>>> NBT
(DF)
10:53:25.912854 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 533:649(116) ack 533 win
8007>>> NBT
(DF)
10:53:25.912992 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 533:641(108) ack 649 win 7300>>> NBT
(DF)
10:53:25.913834 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 649:893(244) ack 641 win
7899>>> NBT
(DF)
10:53:25.914034 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 641:749(108) ack 893 win 7300>>> NBT
(DF)
10:53:25.914721 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 893:1017(124) ack 749 win
7791>>> NBT
(DF)
10:53:25.914823 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 749:857(108) ack 1017 win 7300>>>
NBT (DF)
10:53:26.105556 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: . 1017:1017(0) ack 857 win
7683 (DF)
10:53:39.006458 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST;
BROADCAST
10:53:39.757484 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST;
BROADCAST
10:53:40.508715 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST;
BROADCAST
10:53:41.262771 eth0 < ras.ftdomain.se.1356 >
jerry.ftdomain.se.domain:
24167+ A? JSPNRMPTGSBSSDIR.ftdomain.se. (46)
10:53:41.262991 eth0 > jerry.ftdomain.se.domain >
ras.ftdomain.se.1356:
24167 NXDomain* 0/1/0 (87)
[CUT]
11:08:26.066099 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1450:1545(95) ack 1351 win
8713>>> NBT
(DF)
11:08:26.066280 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1351:1458(107) ack 1545 win 7300>>>
NBT (DF)
11:08:26.067113 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1545:1697(152) ack 1458 win
8606>>> NBT
(DF)
11:08:26.067260 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1458:1586(128) ack 1697 win 7300>>>
NBT (DF)
11:08:26.067991 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1697:1837(140) ack 1586 win
8478>>> NBT
(DF)
11:08:26.068132 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1586:1798(212) ack 1837 win 7300>>>
NBT (DF)
11:08:26.068830 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1837:1883(46) ack 1798 win
8266>>> NBT
(DF)
11:08:26.068917 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1798:1837(39) ack 1883 win 7300>>>
NBT (DF)
11:08:26.070644 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST;
BROADCAST
11:08:26.070805 eth0 > jerry.ftdomain.se.netbios-ns >
ras.ftdomain.se.netbios-ns:NBT UDP PACKET(137): QUERY;
POSITIVE;
RESPONSE; UNICAST
11:08:26.071356 eth0 < ras.ftdomain.se.netbios-dgm >
jerry.ftdomain.se.netbios-dgm: NBT UDP (138)
11:08:26.071561 eth0 > jerry.ftdomain.se.netbios-dgm >
ras.ftdomain.se.netbios-dgm: NBT UDP (138)
11:08:26.076388 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1883:1978(95) ack 1837 win
8227>>> NBT
(DF)
11:08:26.076459 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1837:1876(39) ack 1978 win 7300>>>
NBT (DF)
11:08:26.077339 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1978:2094(116) ack 1876 win
8188>>> NBT
(DF)
11:08:26.077468 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1876:1984(108) ack 2094 win 7300>>>
NBT (DF)
11:08:26.078333 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 2094:2338(244) ack 1984 win
8080>>> NBT
(DF)
11:08:26.078531 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1984:2092(108) ack 2338 win 7300>>>
NBT (DF)
11:08:26.079217 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 2338:2462(124) ack 2092 win
7972>>> NBT
(DF)
11:08:26.079319 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 2092:2200(108) ack 2462 win 7300>>>
NBT (DF)
---------