samba - Sep 2004 - LDAP search failed: Size limit exceeded

When trying to browser users or groups on the server I see these
messages in the log file.

[2004/09/02 10:40:15, 0] lib/smbldap.c:smbldap_search_suffix(1101)
  smbldap_search_suffix: Problem during the LDAP search:  (Size limit
exceeded)
[2004/09/02 10:40:15, 0] passdb/pdb_ldap.c:ldapsam_setsampwent(1173)
  ldapsam_setsampwent: LDAP search failed: Size limit exceeded

We are unable to browse users or groups which is a show stopper!!!

I have added the line "sizelimit -1" in slapd.conf and restarted the
ldap server but it doesn't seem to help.

I'm kind of desperate here guys:-)  Can anyone shed some light on why
this happens?

-- 
George Farris	farrisg@mala.bc.ca
Malaspina University-College - Cowichan Campus

Hi,

On Thu, Sep 02, 2004 at 10:40:30AM -0700, George Farris
wrote:
> When trying to browser users or groups on the server I see these
> messages in the log file.
> 
> [2004/09/02 10:40:15, 0] lib/smbldap.c:smbldap_search_suffix(1101)
>   smbldap_search_suffix: Problem during the LDAP search:  (Size limit
> exceeded)
> [2004/09/02 10:40:15, 0] passdb/pdb_ldap.c:ldapsam_setsampwent(1173)
>   ldapsam_setsampwent: LDAP search failed: Size limit exceeded
> 
> We are unable to browse users or groups which is a show stopper!!!
> 
> I have added the line "sizelimit -1" in slapd.conf and restarted
the
> ldap server but it doesn't seem to help.
what about this one in slapd.conf :

  limits dn="admin,dc=example,dc=com" size.soft=-1 size.hard=soft
  
set the dn value to the dn used to do the LDAP search  

hoping this helps

Jerome Alet

On Thu, Sep 02, 2004 at 08:00:54PM +0200, jerome wrote:
> 
> what about this one in slapd.conf :
> 
>   limits dn="admin,dc=example,dc=com" size.soft=-1 size.hard=soft
sorry, it was instead :

 limits dn="cn=admin,dc=example,dc=com" size.soft=-1 size.hard=soft

stupid manual copy & paste :-)

Jerome Alet

On Thu, 2004-09-02 at 11:02, Jerome Alet wrote:
> On Thu, Sep 02, 2004 at 08:00:54PM +0200, jerome wrote:
> > 
> > what about this one in slapd.conf :
> > 
> >   limits dn="admin,dc=example,dc=com" size.soft=-1
size.hard=soft
> 
> sorry, it was instead :
> 
>  limits dn="cn=admin,dc=example,dc=com" size.soft=-1
size.hard=soft
> 
> stupid manual copy & paste :-)
> 
> Jerome Alet
Right I assume you mean the rootdn in /etc/openldap/slapd.conf
I have set it to:
limits dn="cn=Manager,dc=cc,dc=mala,dc=bc,dc=ca" size.soft=-1
size.hard=soft

and just above it is a sizelimit -1 statement.

Restart the ldap server and smb just in case.

Login to win2k as administrator, look at properties of Power User group,
try to add a group to it, browsing I can see the domain but when I click
on the domain I get a meesage that there are no objects and in the
/var/log/samba/log.workstation file I see:
[2004/09/02 11:38:55, 0] lib/smbldap.c:smbldap_search_suffix(1101)
  smbldap_search_suffix: Problem during the LDAP search:  (Size limit
exceeded)
[2004/09/02 11:38:55, 0] passdb/pdb_ldap.c:ldapsam_setsampwent(1173)
  ldapsam_setsampwent: LDAP search failed: Size limit exceeded
[2004/09/02 11:38:55, 0]
rpc_server/srv_samr_nt.c:load_sampwd_entries(232)
  load_sampwd_entries: Unable to open passdb.
[2004/09/02 11:38:55, 0] lib/smbldap.c:smbldap_search_suffix(1101)
  smbldap_search_suffix: Problem during the LDAP search:  (Size limit
exceeded)
[2004/09/02 11:38:55, 0] passdb/pdb_ldap.c:ldapsam_setsampwent(1173)
  ldapsam_setsampwent: LDAP search failed: Size limit exceeded
[2004/09/02 11:38:55, 0]
rpc_server/srv_samr_nt.c:load_sampwd_entries(232)
  load_sampwd_entries: Unable to open passdb.
[2004/09/02 11:38:55, 0] lib/smbldap.c:smbldap_search_suffix(1101)
  smbldap_search_suffix: Problem during the LDAP search:  (Size limit
exceeded)
[2004/09/02 11:38:55, 0] passdb/pdb_ldap.c:ldapsam_setsampwent(1173)
  ldapsam_setsampwent: LDAP search failed: Size limit exceeded
[2004/09/02 11:38:55, 0]
rpc_server/srv_samr_nt.c:load_sampwd_entries(232)
  load_sampwd_entries: Unable to open passdb.

The only indexes and access rights I have in slapd.conf right now are:
index           cn,sn,uid,displayName           pres,sub,eq
index           uidNumber,gidNumber             eq
index           sambaSID                        eq
index           sambaPrimaryGroupSID            eq
index           sambaDomainName                 eq
index           objectClass                     pres,eq
#               old 2.x samba attrs
#index           rid,primaryGroupID              eq
#
index           default                         sub

## posixGroup entries in the directory as well
#  index memberUid     eq

# This directive allows the user to modify their entry,
# allows anonymous to authentication against these entries,
# and allows all others to read these entries. The anonymous
# users are granted auth, not read
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
        by self write
        by anonymous auth
        by dn.base="cn=Manager,dc=cc,dc=mala,dc=bc,dc=ca" write
        by * none
access to *
        by self write
        by dn.base="cn=Manager,dc=cc,dc=mala,dc=bc,dc=ca" write
        by * read

BTW this is samba-3.0.6-2 on Fedora Core 2
openldap-2.1.29-1

Do I have the wrong limit line?


-- 
George Farris	farrisg@mala.bc.ca
Malaspina University-College - Cowichan Campus

On Thu, 2004-09-02 at 11:02, Jerome Alet wrote:
> On Thu, Sep 02, 2004 at 08:00:54PM +0200, jerome wrote:
> > 
> > what about this one in slapd.conf :
> > 
> >   limits dn="admin,dc=example,dc=com" size.soft=-1
size.hard=soft
> 
> sorry, it was instead :
> 
>  limits dn="cn=admin,dc=example,dc=com" size.soft=-1
size.hard=soft
> 
> stupid manual copy & paste :-)
> 
> Jerome Alet
Right, well, "pdbedit -L" failed with a size limit, ldapsearch also
failed with a size limit.  I have increased the sizelimt in both
/etc/ldap.conf and /etc/openldap/ldap.conf to 10000 and both these
commands now function.

However, the smbldap tools which I believe is responsible for returning
a list of groups or users to the workstation spits out an error of "size
limit exceeded".  Does anyone know how to increase this or is this still
a samba problem.  

I would think the win2k workstation is asking samba for a list of groups
(or users) and samba passes this off to the smbldap tools which fail. 
Does that make sense?

-- 
George Farris	farrisg@mala.bc.ca
Malaspina University-College - Cowichan Campus

Well this has now started to work???? Possibly it was just a matter of
setting the sizelimit in /etc/ldap.conf and waiting for the system to
"catch up"???  I have only changed three things:

slapd.conf -> limits dn="cn=Manager,dc=cc,dc=mala,dc=bc,dc=ca"
size.soft=-1 size.hard=soft
/etc/openldap/ldap.conf -> sizelimit 10000
/etc/ldap.conf -> sizelimit 10000

Confusingly yours:-)


On Thu, 2004-09-02 at 11:02, Jerome Alet wrote:
> On Thu, Sep 02, 2004 at 08:00:54PM +0200, jerome wrote:
> > 
> > what about this one in slapd.conf :
> > 
> >   limits dn="admin,dc=example,dc=com" size.soft=-1
size.hard=soft
> 
> sorry, it was instead :
> 
>  limits dn="cn=admin,dc=example,dc=com" size.soft=-1
size.hard=soft
> 
> stupid manual copy & paste :-)
> 
> Jerome Alet
-- 
George Farris	farrisg@mala.bc.ca
Malaspina University-College - Cowichan Campus