Archibald Mouse
2011-Jun-07 05:44 UTC
[Samba] refreshing/cleaning the default idmap backend
Greetings, I have just moved my samba server membership from one AD realm to another one. I may also have changed the idmap uig/gid ranges. The problem is that when I log in now (vi ssh) using my AD credentials, I get the following:- groups: cannot find name for group ID 10667 groups: cannot find name for group ID 10668 groups: cannot find name for group ID 10670 groups: cannot find name for group ID 10671 groups: cannot find name for group ID 10672 groups: cannot find name for group ID 10679 groups: cannot find name for group ID 10680 groups: cannot find name for group ID 10681 groups: cannot find name for group ID 10682 I'm really not sure what the problem is. Perhaps someone here knows. My theory is that I have certain local unix groups mapped (by winbind) to SIDs that are no longer available in the new realm. If this is so then it would seem that cleaning out the invalid mappings should help. Can this cleaning out be done? If so, how?? Something else that occurred to me was to simply blow away all my domain users and let them log in again to recreate their accounts. The idea would be to get winbind to start building the idmap db again from scratch. Is this feasible and sensible? If so, how might it be done? I really am without much of a clue here and i would greatly appreciate any advice on how to eliminate the "groups: cannot find name for group ID" messages that appear for AD authenticated logins. Thanks, Archi PS: I'm not on the list.
Archibald Mouse
2011-Jun-09 00:33 UTC
[Samba] refreshing/cleaning the default idmap backend
Greetings, I have just moved my samba server membership from one AD realm to another one. I may also have changed the idmap uig/gid ranges. The problem is that when I log in now (vi ssh) using my AD credentials, I get the following:- groups: cannot find name for group ID 10667 groups: cannot find name for group ID 10668 groups: cannot find name for group ID 10670 groups: cannot find name for group ID 10671 groups: cannot find name for group ID 10672 groups: cannot find name for group ID 10679 groups: cannot find name for group ID 10680 groups: cannot find name for group ID 10681 groups: cannot find name for group ID 10682 I'm really not sure what the problem is. Perhaps someone here knows. My theory is that I have certain local unix groups mapped (by winbind) to SIDs that are no longer available in the new realm. If this is so then it would seem that cleaning out the invalid mappings should help. Can this cleaning out be done? If so, how?? Something else that occurred to me was to simply blow away all my domain users and let them log in again to recreate their accounts. The idea would be to get winbind to start building the idmap db again from scratch. Is this feasible and sensible? If so, how might it be done? I really am without much of a clue here and i would greatly appreciate any advice on how to eliminate the "groups: cannot find name for group ID" messages that appear for AD authenticated logins. Thanks, Archi