[Samba] Make Winbind/PAM not return domain part for usernames

George jorgito1412 at gmail.com
Thu Aug 22 16:34:05 MDT 2013

Hi! I have a problem involving Samba4, exim4, fetchmail, dovecot and PAM...

I have setup a "maildrop" machine, which fetches mail from an external POP3
server for multiple accounts and then serves them locally via IMAP. On the
same machine, I am currently running Samba 4.0.9 over Debian Wheezy. The
idea is that fetchmail gets the mail, passes it to exim4, gets delivered to
the "AD user mailbox" and then Dovecot serves them via IMAP, where IMAP
authentication is done against Samba AD via PAM.

This had been working fine with Samba 3.x (since all users where in fact
Unix users), but since I migrated to 4.x, not that much... The problem
comes when I want to do this for new AD users. I have successfully
configured PAM authentication through winbind and it works (new AD users
can SSH the machine). Dovecot also takes the PAM authentication and works
fine, but the problem is that PAM returrns the "username" as
"DOMAIN\username" for Dovecot (I can see this on the logs), so Dovecot
tries to find the mailbox using that as part of the path. On the other
hand, fetchmail (actually the MTA, exim4), locally delivers the mail using
"username" (without the domain part) as part of the path.

So I end up with fetchmail delivering to, for eg, "/home/mail/foo" and
Dovecot trying to fetch from "/home/mail/MYDOMAIN\foo"

What does this have to do with Samba?? Well, I *believe* that one "quick
and dirty" fix would be to force winbind to always return the AD usernames
without the domain part, by using the "winbind use default domain = yes"
directive. This is what does not seem to be working. This has already been
reported some time ago (bug
Is there any workaround on this??

Any other suggestions? I can think of several workarounds that are actually
out of the scope of this list (trimming the first characters of the
username variable in Dovecot, adding the domain part as part of the
hardcoded path in exim4 config, trying with another authentication methods
for Dovecot, etc)

Best regards,


More information about the samba mailing list