ERROR: out of Policy Handles! in Samba 2.0.7
Pedro Rodrigues
pmanuel at myrealbox.com
Sat Apr 21 13:50:41 GMT 2001
Hello! I read some discussion about "ERROR: out of Policy
Handles!" errors in the Samba mailing list, but no practical
conclusions, or so it seems. I have a network where i get
those errors each 15 minutes from two Windows NT 4.0
servers. One is a Terminal Server running Citrix Metaframe
1.8. The other is a Nt Server 4.0 that only does RAS. What
can we do about these errors? Are effects can i expect when
they happen? Details follow, including a tcpdump of a couple
instances of the error. I hope it is useful to someone.
Best regards,
Pedro
Server: Jerry (RH 7.0 with samba-2.0.7-21ssl).
It is working as a PDC for NT workstations and also the
Windows NT Terminal Server machine.
Testparm dump from this server:
-------------
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[printers]"
Processing section "[import]"
Loaded services file OK.
Press enter to see a dump of your service definitions
# Global parameters
[global]
coding system =
client code page = 850
workgroup = TORSLANDA
netbios name =
netbios aliases =
netbios scope =
server string = Samba Server for Torslanda
interfaces =
bind interfaces only = No
security = USER
encrypt passwords = Yes
update encrypted = No
allow trusted domains = Yes
hosts equiv =
min password length = 5
map to guest = Never
null passwords = No
password server =
smb passwd file = /etc/samba/smbpasswd
root directory = /
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
passwd chat debug = No
username map =
password level = 0
username level = 0
unix password sync = Yes
restrict anonymous = No
use rhosts = No
ssl = No
ssl hosts =
ssl hosts resign =
ssl CA certDir =
ssl CA certFile =
ssl server cert =
ssl server key =
ssl client cert =
ssl client key =
ssl require clientcert = No
ssl require servercert = No
ssl ciphers =
ssl version = ssl2or3
ssl compatibility = No
debug level = 2
syslog = 1
syslog only = No
log file = /var/log/samba/%m.log
max log size = 0
debug timestamp = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
protocol = NT1
read bmpx = No
read raw = Yes
write raw = Yes
nt smb support = Yes
nt pipe support = Yes
nt acl support = Yes
announce version = 4.2
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = lmhosts host wins bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
change notify timeout = 60
deadtime = 0
getwd cache = Yes
keepalive = 300
lpq cache time = 10
max disk size = 0
max open files = 10000
read prediction = No
read size = 16384
shared mem size = 1048576
socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
stat cache size = 50
load printers = Yes
printcap name = /etc/printcap
printer driver file = /etc/samba/printers.def
strip dot = No
character set =
mangled stack = 50
stat cache = Yes
domain groups =
domain admin group =
domain guest group =
domain admin users =
domain guest users =
machine password timeout = 604800
add user script =
delete user script =
logon script = netlogon.bat
logon path = \\%L\%U\profile
logon drive = u:
logon home = \\%N\%U
domain logons = Yes
os level = 20
lm announce = Auto
lm interval = 60
preferred master = Yes
local master = Yes
domain master = Yes
browse list = Yes
dns proxy = No
wins proxy = No
wins server =
wins support = No
wins hook =
kernel oplocks = Yes
ole locking compatibility = Yes
oplock break wait time = 10
smbrun = /usr/bin/smbrun
config file =
auto services =
lock directory = /var/lock/samba
default service =
message command =
dfree command =
valid chars =
remote announce =
remote browse sync =
socket address = 0.0.0.0
homedir map = auto.home
time offset = 0
unix realname = No
NIS homedir = No
source environment =
panic action =
comment =
path =
revalidate = No
username =
guest account = nobody
invalid users =
valid users =
admin users =
read list =
write list =
force user =
force group =
writeable = No
create mask = 0744
force create mode = 00
security mask = -1
force security mode = -1
directory mask = 0755
force directory mode = 00
directory security mask = -1
force directory security mode = -1
inherit permissions = No
guest only = No
guest ok = No
only user = No
hosts allow = 192.168.1. 1.0.0. 127.
hosts deny =
status = Yes
max connections = 0
min print space = 0
strict sync = No
sync always = No
write cache size = 0
printable = No
postscript = No
printing = lprng
print command = lpr -r -P%p %s
lpq command = lpq -P%p
lprm command = lprm -P%p %j
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer =
printer driver = NULL
printer driver location =
default case = lower
case sensitive = No
preserve case = Yes
short preserve case = Yes
mangle case = No
mangling char = ~
hide dot files = Yes
delete veto files = No
veto files =
hide files =
veto oplock files =
map system = No
map hidden = No
map archive = Yes
mangled names = Yes
mangled map =
browseable = Yes
blocking locks = Yes
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = No
oplock contention limit = 2
strict locking = No
share modes = Yes
copy =
include =
preexec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
[homes]
comment = Home Directories
writeable = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = Yes
share modes = No
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[import]
comment = Import directory
path = /home/import
writeable = Yes
create mask = 0765
directory mask = 0771
-----
Client #1: Ras (Windows NT 4.0 Server with Service Pack 6a)
The only thing it does is validate users from the local sam.
It doesn´t map anything from the server, or validate any
user on it. It is standalone.
Client #2: Terminal Server 4.0 with Citrix Metaframe 1.8.
Latest services packs on both os and Citrix. It validates
users on the PDC as a normal Windows NT workstation would.
Tcpdump of two instances of those errors in the ras machine:
----
[2001/04/19 10:53:25, 0]
rpc_server/srv_lsa_hnd.c:open_lsa_policy_hnd(107)
ERROR: out of Policy Handles!
[2001/04/19 11:08:26, 0]
rpc_server/srv_lsa_hnd.c:open_lsa_policy_hnd(107)
ERROR: out of Policy Handles!
10:53:25.903487 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 5:100(95) ack 8 win 8532>>>
NBT (DF)
10:53:25.903694 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 8:115(107) ack 100 win 7300>>> NBT
(DF)
10:53:25.904541 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 100:252(152) ack 115 win
8425>>> NBT
(DF)
10:53:25.904696 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 115:243(128) ack 252 win 7300>>> NBT
(DF)
10:53:25.905482 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 252:392(140) ack 243 win
8297>>> NBT
(DF)
10:53:25.905628 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 243:455(212) ack 392 win 7300>>> NBT
(DF)
10:53:25.906333 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 392:438(46) ack 455 win
8085>>> NBT
(DF)
10:53:25.906422 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 455:494(39) ack 438 win 7300>>> NBT
(DF)
10:53:25.908146 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST;
BROADCAST
10:53:25.908333 eth0 > jerry.ftdomain.se.netbios-ns >
ras.ftdomain.se.netbios-ns:NBT UDP PACKET(137): QUERY;
POSITIVE;
RESPONSE; UNICAST
10:53:25.908890 eth0 < ras.ftdomain.se.netbios-dgm >
jerry.ftdomain.se.netbios-dgm: NBT UDP (138)
10:53:25.909570 eth0 > jerry.ftdomain.se.netbios-dgm >
ras.ftdomain.se.netbios-dgm: NBT UDP (138)
10:53:25.911908 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 438:533(95) ack 494 win
8046>>> NBT
(DF)
10:53:25.911979 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 494:533(39) ack 533 win 7300>>> NBT
(DF)
10:53:25.912854 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 533:649(116) ack 533 win
8007>>> NBT
(DF)
10:53:25.912992 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 533:641(108) ack 649 win 7300>>> NBT
(DF)
10:53:25.913834 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 649:893(244) ack 641 win
7899>>> NBT
(DF)
10:53:25.914034 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 641:749(108) ack 893 win 7300>>> NBT
(DF)
10:53:25.914721 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 893:1017(124) ack 749 win
7791>>> NBT
(DF)
10:53:25.914823 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 749:857(108) ack 1017 win 7300>>>
NBT (DF)
10:53:26.105556 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: . 1017:1017(0) ack 857 win
7683 (DF)
10:53:39.006458 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST;
BROADCAST
10:53:39.757484 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST;
BROADCAST
10:53:40.508715 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST;
BROADCAST
10:53:41.262771 eth0 < ras.ftdomain.se.1356 >
jerry.ftdomain.se.domain:
24167+ A? JSPNRMPTGSBSSDIR.ftdomain.se. (46)
10:53:41.262991 eth0 > jerry.ftdomain.se.domain >
ras.ftdomain.se.1356:
24167 NXDomain* 0/1/0 (87)
[CUT]
11:08:26.066099 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1450:1545(95) ack 1351 win
8713>>> NBT
(DF)
11:08:26.066280 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1351:1458(107) ack 1545 win 7300>>>
NBT (DF)
11:08:26.067113 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1545:1697(152) ack 1458 win
8606>>> NBT
(DF)
11:08:26.067260 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1458:1586(128) ack 1697 win 7300>>>
NBT (DF)
11:08:26.067991 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1697:1837(140) ack 1586 win
8478>>> NBT
(DF)
11:08:26.068132 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1586:1798(212) ack 1837 win 7300>>>
NBT (DF)
11:08:26.068830 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1837:1883(46) ack 1798 win
8266>>> NBT
(DF)
11:08:26.068917 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1798:1837(39) ack 1883 win 7300>>>
NBT (DF)
11:08:26.070644 eth0 B ras.ftdomain.se.netbios-ns >
1.0.0.255.netbios-ns:NBT UDP PACKET(137): QUERY; REQUEST;
BROADCAST
11:08:26.070805 eth0 > jerry.ftdomain.se.netbios-ns >
ras.ftdomain.se.netbios-ns:NBT UDP PACKET(137): QUERY;
POSITIVE;
RESPONSE; UNICAST
11:08:26.071356 eth0 < ras.ftdomain.se.netbios-dgm >
jerry.ftdomain.se.netbios-dgm: NBT UDP (138)
11:08:26.071561 eth0 > jerry.ftdomain.se.netbios-dgm >
ras.ftdomain.se.netbios-dgm: NBT UDP (138)
11:08:26.076388 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1883:1978(95) ack 1837 win
8227>>> NBT
(DF)
11:08:26.076459 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1837:1876(39) ack 1978 win 7300>>>
NBT (DF)
11:08:26.077339 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 1978:2094(116) ack 1876 win
8188>>> NBT
(DF)
11:08:26.077468 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1876:1984(108) ack 2094 win 7300>>>
NBT (DF)
11:08:26.078333 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 2094:2338(244) ack 1984 win
8080>>> NBT
(DF)
11:08:26.078531 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 1984:2092(108) ack 2338 win 7300>>>
NBT (DF)
11:08:26.079217 eth0 < ras.ftdomain.se.4903 >
jerry.ftdomain.se.netbios-ssn: P 2338:2462(124) ack 2092 win
7972>>> NBT
(DF)
11:08:26.079319 eth0 > jerry.ftdomain.se.netbios-ssn >
ras.ftdomain.se.4903: P 2092:2200(108) ack 2462 win 7300>>>
NBT (DF)
---------
More information about the samba
mailing list