ERROR: Out of policy handles

MCCALL,DON (HP-USA,ex1) don_mccall at
Thu Jan 4 14:22:05 GMT 2001

Hi Jerry,
Thanks for the info.  HP's version of Samba is based on the 2.0.6 version of
the code, so we DON'T use it as PDC.  The majority of our customers seem to
use it in domain security mode, passing authentication to the NT PDC.  On
HP-UX 11.0, we ship Samba (we call it CIFS/9000 SERVER) with the OS & Apps
cd's, so all our 11.0 customers have free access to it.  (We also ship a
CIFS/9000 CLIENT free, which gives you similar capabilities to
smbmount/smbumount).  But because of supportability issues we ask our
customers NOT to make changes and recompile.  I'm going to discuss with the
lab that we increase this limit to 256 in the base code tree, and start
shipping it out that way.  I need to look at what kind of additional memory
per smbd that requires, but I agree that with the number of people running
into this, and the W2K Terminal Services growing in popularity, this limit
is too low.
Perhaps you might do the same thing in the 2.2 source tree?

-----Original Message-----
From: Gerald Carter [mailto:gcarter at]
Sent: Thursday, January 04, 2001 7:06 AM
Cc: samba-technical at
Subject: Re: ERROR: Out of policy handles

[bcc'd to samba at, but thread moved to Samba-technical
if more discussion follows...]

"MCCALL,DON (HP-USA,ex1)" wrote:
> Hi Jerry,
> We're seeing several customers with this problem as well.  
> One of them we can explain pretty well I think, and this 
> might be something you want to consider in general - 
> They started seeing these errors when they moved from
> individual client connections to the samba server to 
> using Terminal server clients instead.  So in effect, a 
> single smbd is having to handle LOTS of users over a single 
> vc, and it makes it more likely that the smbd is going
> to run out of policy handles LEGITIMATELY...  We might
> want to add some documentation to the tree to warn about 
> this, and possible consequences; On NT 4.0 terminal server 
> there is a registry hack to force it to open a separate vc 
> for each client connection to a server, but not everyone 
> is willing to do this, and with Win2000 terminal 
> services, this registry hack does not work, and there
> is currently no way to force Win2000 terminal services 
> to use individual vc's per client.

Very good point.  The likely solution then for these 
environments is to change the value of 

	#define MAX_OPEN_POLS 64

in rpc_server/srv_lsa_hnd.c and recompile.  Of course,
Finding the right value would be via trial and error.
I don't see any limitations or determinental in the 
code to larger values.

> Another customer experiencing this problem swears 
> they have NO terminal server clients, so we are 
> investigating this to see if we can tie a particular dos 
> app, or some service that might be opening handles and not
> closing them appropriately. Do you have a good understanding 
> of what kind of activity on a pc results in a policy 
> handle being opened? 

Don, these policy handles will only be used LSA 
calls (using MS-RPC) to my knowledge, so I would 
not expect a DOS app to cause this.  The reports I have
seen could be tracked to some type of a NT server app
that would do something periodically and never close 
the handle.

Of course, the issue with Win2k TSE is another 
instance.  In this case, I would agree that it seems to be
legitimate resource exhaustion.  The best thing then 
would probably be to just up the MAX_OPEN_POLS as mentioned 

Cheers, jerry
   /\  Gerald (Jerry) Carter                     Professional Services
 \/  VA Linux Systems   gcarter at       SAMBA Team          jerry at                     jerry at

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list