ERROR: Out of policy handles

Greg Dickie greg at
Thu Jan 4 12:26:12 GMT 2001

I can reproduce this error quite easily with ClearCase and it hgas caused some
amount of pain. Is it possible that NT actually times out a handle since I
would expect the same problem on NT server if the application was actually


On 04-Jan-01 Gerald Carter wrote:
> [bcc'd to samba at, but thread moved to Samba-technical
> if more discussion follows...]
> "MCCALL,DON (HP-USA,ex1)" wrote:
>> Hi Jerry,
>> We're seeing several customers with this problem as well.  
>> One of them we can explain pretty well I think, and this 
>> might be something you want to consider in general - 
>> They started seeing these errors when they moved from
>> individual client connections to the samba server to 
>> using Terminal server clients instead.  So in effect, a 
>> single smbd is having to handle LOTS of users over a single 
>> vc, and it makes it more likely that the smbd is going
>> to run out of policy handles LEGITIMATELY...  We might
>> want to add some documentation to the tree to warn about 
>> this, and possible consequences; On NT 4.0 terminal server 
>> there is a registry hack to force it to open a separate vc 
>> for each client connection to a server, but not everyone 
>> is willing to do this, and with Win2000 terminal 
>> services, this registry hack does not work, and there
>> is currently no way to force Win2000 terminal services 
>> to use individual vc's per client.
> Very good point.  The likely solution then for these 
> environments is to change the value of 
>       #define MAX_OPEN_POLS 64
> in rpc_server/srv_lsa_hnd.c and recompile.  Of course,
> Finding the right value would be via trial and error.
> I don't see any limitations or determinental in the 
> code to larger values.
>> Another customer experiencing this problem swears 
>> they have NO terminal server clients, so we are 
>> investigating this to see if we can tie a particular dos 
>> app, or some service that might be opening handles and not
>> closing them appropriately. Do you have a good understanding 
>> of what kind of activity on a pc results in a policy 
>> handle being opened? 
> Don, these policy handles will only be used LSA 
> calls (using MS-RPC) to my knowledge, so I would 
> not expect a DOS app to cause this.  The reports I have
> seen could be tracked to some type of a NT server app
> that would do something periodically and never close 
> the handle.
> Of course, the issue with Win2k TSE is another 
> instance.  In this case, I would agree that it seems to be
> legitimate resource exhaustion.  The best thing then 
> would probably be to just up the MAX_OPEN_POLS as mentioned 
> above.
> Cheers, jerry
> ----------------------------------------------------------------------
>    /\  Gerald (Jerry) Carter                     Professional Services
>  \/  VA Linux Systems   gcarter at
>       SAMBA Team          jerry at
>                     jerry at
>        "...a hundred billion castaways looking for a home."
>                                 - Sting "Message in a Bottle" ( 1979 )

Greg Dickie
just a guy
greg at

More information about the samba-technical mailing list