Account provider warning: size limit exceeded (4)

v7
accounts-provider

(Isaac Muthui) #1

**NethServer Version:7.3.1611 (Final)
Module: Accounts Provider
I need to connect nethserver to a Windows active directory which has more than 1000 users. The connection is successful but I get the error “Account provider warning: size limit exceeded (4)” on the Account Provider page.
Is there a limit on the number of users one can have on nethserver?


(Davide Principi) #2

There was a limit, but it has been removed in the latest updates. Try to update your sytem from Software center page.

How many users do you have?


(Isaac Muthui) #3

Around 2000 accounts. Could the issues be due to MS 2008 AD server limiting LDAP queries to a 1000?


(Davide Principi) #4

The LDAP client uses the standard LDAP “paged results” extension. It fetches the results up to 1000 entries per iteration, then it reiterates the query, starting from the last entry.

If your server requires less than 1000, try to set this prop to any lower value:

 config setprop sssd LdapPageSize 999

See also


(Isaac Muthui) #5

Thank for the suggestion, but after updating I have no error on the Accounts provider page.
However, I now have an error on the Users and Groups page stating “AccountProvider_Error_1”


(Davide Principi) #6

Can you see additional information in /var/log/messages?


(Isaac Muthui) #7

Content of /var/log/messages
Jun 19 13:01:01 mail01 systemd: Started Session 2 of user root.
Jun 19 13:01:01 mail01 systemd: Starting Session 2 of user root.
Jun 19 14:01:01 mail01 systemd: Started Session 3 of user root.
Jun 19 14:01:01 mail01 systemd: Starting Session 3 of user root.
Jun 19 14:25:24 mail01 httpd: [ERROR] NethServer\Tool\UserProvider: AccountProvider_Error_1
Jun 19 14:25:24 mail01 httpd: [ERROR] (Connection timed out): IO::Socket::INET: connect: timeout
Jun 19 14:26:37 mail01 /sbin/e-smith/db[1685]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns|192.168.0.1|BaseDN|my_domain,dc=co,dc=ke|BindDN||BindPassword||GroupDN|my_domain,dc=co,dc=ke|LdapURI|ldap://buruburusrv.MYDOMAIN.CO.KE|Provider|ad|Realm|MYDOMAIN.CO.KE|StartTls||UserDN|my_domain,dc=co,dc=ke|Workgroup|MYDOMAIN|status|enabled
Jun 19 14:26:37 mail01 /sbin/e-smith/db[1685]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|192.168.0.1|BaseDN|dc=MYDOMAIN,dc=co,dc=ke|BindDN||BindPassword||GroupDN|dc=MYDOMAIN,dc=co,dc=ke|LdapURI|ldap://192.168.0.1|Provider|ad|Realm|MYDOMAIN.CO.KE|StartTls||UserDN|dc=MYDOMAIN,dc=co,dc=ke|Workgroup|MYDOMAIN|status|enabled
Jun 19 14:26:37 mail01 dbus[667]: [system] Activating via systemd: service name=‘org.freedesktop.timedate1’ unit='dbus-org.freedesktop.timedate1.service’
Jun 19 14:26:37 mail01 dbus-daemon: dbus[667]: [system] Activating via systemd: service name=‘org.freedesktop.timedate1’ unit='dbus-org.freedesktop.timedate1.service’
Jun 19 14:26:37 mail01 systemd: Starting Time & Date Service…
Jun 19 14:26:37 mail01 dbus[667]: [system] Successfully activated service 'org.freedesktop.timedate1’
Jun 19 14:26:37 mail01 dbus-daemon: dbus[667]: [system] Successfully activated service 'org.freedesktop.timedate1’
Jun 19 14:26:37 mail01 systemd: Started Time & Date Service.
Jun 19 14:27:08 mail01 /sbin/e-smith/db[1726]: /var/lib/nethserver/db/configuration: OLD sssd=service|AdDns|192.168.0.1|BaseDN|dc=my_domain,dc=co,dc=ke|BindDN||BindPassword||GroupDN|dc=my_domain,dc=co,dc=ke|LdapURI|ldap://192.168.0.1|Provider|ad|Realm|MYDOMAIN.CO.KE|StartTls||UserDN|dc=my_domain,dc=co,dc=ke|Workgroup|MYDOMAIN|status|enabled
Jun 19 14:27:08 mail01 /sbin/e-smith/db[1726]: /var/lib/nethserver/db/configuration: NEW sssd=service|AdDns|192.168.0.1|BaseDN|dc=my_domain,dc=co,dc=ke|BindDN||BindPassword||GroupDN|dc=my_domain,dc=co,dc=ke|LdapURI|ldap://192.168.50.70|Provider|ad|Realm|MYDOMAIN.CO.KE|StartTls||UserDN|dc=my_domain,dc=co,dc=ke|Workgroup|MYDOMAIN|status|enabled
Jun 19 14:27:08 mail01 dbus[667]: [system] Activating via systemd: service name=‘org.freedesktop.timedate1’ unit='dbus-org.freedesktop.timedate1.service’
Jun 19 14:27:08 mail01 dbus-daemon: dbus[667]: [system] Activating via systemd: service name=‘org.freedesktop.timedate1’ unit='dbus-org.freedesktop.timedate1.service’
Jun 19 14:27:08 mail01 systemd: Starting Time & Date Service…
Jun 19 14:27:08 mail01 dbus[667]: [system] Successfully activated service 'org.freedesktop.timedate1’
Jun 19 14:27:08 mail01 dbus-daemon: dbus[667]: [system] Successfully activated service 'org.freedesktop.timedate1’
Jun 19 14:27:08 mail01 systemd: Started Time & Date Service.
Jun 19 14:29:13 mail01 httpd: [ERROR] NethServer\Tool\UserProvider: AccountProvider_Error_1
Jun 19 14:29:13 mail01 httpd: [ERROR] (Connection timed out): IO::Socket::INET: connect: timeout


(Davide Principi) #8

Your current LDAP configuration does not work with Kerberos authentication. To fix it:

  1. Go to “Accounts provider” page
  2. Run “Unbind” procedure
  3. Join Active Directory again from the same page

(Isaac Muthui) #9

Hi davidep,
I am now getting these errors.
Jun 21 09:19:14 mail01 httpd: [ERROR] NethServer\Tool\UserProvider: AccountProvider_Error_1
Jun 21 09:19:14 mail01 httpd: [ERROR] (Connection refused): IO::Socket::INET6: connect: Connection refused
Jun 21 09:19:24 mail01 [sssd[ldap_child[12701]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm ‘MYDOMAIN’. Unable to create GSSAPI-encrypted LDAP connection.
Jun 21 09:19:24 mail01 [sssd[ldap_child[12701]]]: Cannot contact any KDC for realm ‘MYDOMAIN’


(Isaac Muthui) #10

My /var/log/sssd/sssd_nss.log has the following error. Kindly advise on how I can solve this.

I have been trying to look for the sssd config file without any luck.


(Davide Principi) #11

Let’s see if we can find a DC from DNS. Please run

dig  _ldap._tcp.dc._msdcs.$(config getprop sssd Realm) SRV  _kerberos._tcp.dc._msdcs.$(config getprop sssd Realm) SRV

Then try to ping the host name(s) returned by the command above.


(Isaac Muthui) #12

Hello David,
Sorry for the late reply.
The issues was resolved after I updating the server yesterday (23/08/2017). The only issue I have noticed is that you have to install the emails module before connecting to the MS domain, otherwise; if you connect to the domain first, IMAP/POP services do not run after installing the emails module.