ERROR: Out of policy handles

Gerald Carter gcarter at
Thu Jan 4 12:06:29 GMT 2001

[bcc'd to samba at, but thread moved to Samba-technical
if more discussion follows...]

"MCCALL,DON (HP-USA,ex1)" wrote:
> Hi Jerry,
> We're seeing several customers with this problem as well.  
> One of them we can explain pretty well I think, and this 
> might be something you want to consider in general - 
> They started seeing these errors when they moved from
> individual client connections to the samba server to 
> using Terminal server clients instead.  So in effect, a 
> single smbd is having to handle LOTS of users over a single 
> vc, and it makes it more likely that the smbd is going
> to run out of policy handles LEGITIMATELY...  We might
> want to add some documentation to the tree to warn about 
> this, and possible consequences; On NT 4.0 terminal server 
> there is a registry hack to force it to open a separate vc 
> for each client connection to a server, but not everyone 
> is willing to do this, and with Win2000 terminal 
> services, this registry hack does not work, and there
> is currently no way to force Win2000 terminal services 
> to use individual vc's per client.

Very good point.  The likely solution then for these 
environments is to change the value of 

	#define MAX_OPEN_POLS 64

in rpc_server/srv_lsa_hnd.c and recompile.  Of course,
Finding the right value would be via trial and error.
I don't see any limitations or determinental in the 
code to larger values.

> Another customer experiencing this problem swears 
> they have NO terminal server clients, so we are 
> investigating this to see if we can tie a particular dos 
> app, or some service that might be opening handles and not
> closing them appropriately. Do you have a good understanding 
> of what kind of activity on a pc results in a policy 
> handle being opened? 

Don, these policy handles will only be used LSA 
calls (using MS-RPC) to my knowledge, so I would 
not expect a DOS app to cause this.  The reports I have
seen could be tracked to some type of a NT server app
that would do something periodically and never close 
the handle.

Of course, the issue with Win2k TSE is another 
instance.  In this case, I would agree that it seems to be
legitimate resource exhaustion.  The best thing then 
would probably be to just up the MAX_OPEN_POLS as mentioned 

Cheers, jerry
   /\  Gerald (Jerry) Carter                     Professional Services
 \/  VA Linux Systems   gcarter at       SAMBA Team          jerry at                     jerry at

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list