SAMR Pipes Cause Problems with Domain Controllers

You may experience one or more of the following:

• Performance problems on domain controllers in the form of lock ups, crashes, or console freezes.
• Clients may receive the following error messages:
  
  
  • Semaphore timeout period has expired
  • Network path cannot be found.
  • Insufficient system resources.

Novell's intraNetWare client for Windows NT Workstation v4.11a and previous versions can cause SAMR pipes to be left open on domain controllers throughout the enterprise. This can result in performance problems with these domain controllers if the number of SAMR pipes open approaches 2048. Nwgina.dll performs remote API operations including NetUserGetInfo to get security information from the SAM database located on a domain controller.

Because of performance design reasons, Windows NT does not directly close an active context associated with an open SAMR file handle used to perform a remote API operation. Once remote API calls have been performed, the client must perform local API calls (for example, NetUserModalsGet...) which indirectly close the handle.

Nwgina.dll has been modified so that the handle references are closed successfully. Please refer to Novell TID #2939557, "Clients can't connect to NT server," for more information.

After the limit of 2048 SAMR pipe references is approached, the LSASS process may fail, requiring the system to be restarted to reinitialize the LSASS service. However, the problem can be alleviated by monitoring the system. Perform the following command before LSASS has failed to stop the server service and close the file handles in question:

Net Stop Server
Net Start Server
Net Start Netlogon
Net Start Computer Browser

NOTE: This command will also stop the dependency services including Netlogon and the Computer Browser, which must be restarted again as well.

This problem occurs in the Novell intraNetWare Windows NT v4.11 v4.30 Clients. Novell has corrected this problem in the NetWare 5 NT Client v4.50 (Z.E.N.) for Windows NT.

Novell's intraNetWare client opens 4 SAMR pipes to the domain controller that it authenticates with. This is done because NWGINA is used to perform Microsoft Networking authentication operations. During the logon process, the client closes 3 of the 4 pipes. This leaves one pipe open and idle. Large domains with limited numbers of domain controllers can suffer performance problems when large numbers of these pipes are left open. Microsoft Windows NT has a limit of 2048 SAMR pipe references that can be open at one time in the LSASS process.

Protocol Analysis using a tool such as NETMON will reveal the following command performed to open the SAMR handle. Ordinarily, a subsequent SMB close operation will be performed to close the file handle. A lack of the close exhibits evidence of an application handle leak.

SMB C NT create & X, file = \samr

The following commands will allow the SAMR pipe references to be monitored on a domain controller. Server Manager can be used to list the references as well by selecting Computer, Properties, and then In Use. While logged on as an administrator, type the following to obtain a listing:

Net Files > Files.txt
Findstr samr Files.txt > Samr.txt

An editor such as Notepad can be used to list and enumerate Samr.txt. This will show SAMR handle references similar to the following:



For additional information, please see the following articles in the Microsoft Knowledge Base: