[Samba] xp client spoolers cause packet storm

Lou Goddard goddarlh at HBCS.Org
Tue Jan 9 22:10:08 GMT 2007 

Greetings,

I have recently come into contact with several Windows XP SP2 machines 
that are generating between 10,000 and 20,000 pps each.  They are 
sending multiple requests for RpcSeekPrinter ( dcerpc opnum 53 ).  Also 
worth noting is the structure of the packet, it is padded with zeros and 
consumes much bandwidth during the flood.  Since the clients are 
spending most of their time flooding the samba spooler, they report 
extremely slow file sharing and laggy application performance.

This seems to be related to the Microsoft KB 329234 or possibly 811896.

I have read similar posts about this topic.  They usually have to do 
with slow printing.  In our environment, we were alerted due to the 
abnormally high network congestion and client cpu utilization caused by 
this.  The hotfix provided by Microsoft in 329234 is not appropriate for 
our version of Windows.  Our spooler DLLS are much newer than the patch.

Additionally, we tend to see the syslog message below when the client 
spoolers are misbehaving.  I interpreted the message as resource 
exhaustion caused by the flooding clients.  Is this correct?
Jan  8 08:19:44 smbd[3182]: [2007/01/08 08:19:44, 0] 
libsmb/cliconnect.c:attempt_netbios_session_request(1558)
Jan  8 08:19:44 smbd[3182]:   attempt_netbios_session_request: XP41413 
rejected the session for name *SMBSERVER with error SUCCESS - 0
Jan  8 08:19:44 smbd[3182]: [2007/01/08 08:19:44, 0] 
rpc_server/srv_spoolss_nt.c:spoolss_connect_to_client(2590)
Jan  8 08:19:44 smbd[3182]:   spoolss_connect_to_client: machine XP41413 
rejected the NetBIOS session request.


Also, I found a registry edit on this list that might solve the 
problem.  Could someone elaborate on this?
I tried the registry edit on one host that was flooding the samba print 
server. Her machine stopped asking for opnum 53 and
began flooding ( much slowly though ) for opnum 08.

1. Edit the registry observing usual caution.
 2. Locate the key HKEY_CURRENT_USER\Printers\DevModePerUser
 3. Remove all VALUES for Network printers of the form:
 \<print_server_name ><printer_queue_name>
4. Locate the key HKEY_CURRENT_USER\Printers\DevModes2
 5. Remove all VALUES for Network printers of the form:
 \<print_server_name><printer_queue_name>

Upon request, I can provide network traces for these events.

Thanks,
Lou Goddard


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list