[Samba] Make Winbind/PAM not return domain part for usernames

Thu Aug 22 17:48:31 MDT 2013

George wrote:
> Hi! I have a problem involving Samba4, exim4, fetchmail, dovecot and PAM...
>
> I have setup a "maildrop" machine, which fetches mail from an external POP3
> server for multiple accounts and then serves them locally via IMAP. On the
> same machine, I am currently running Samba 4.0.9 over Debian Wheezy. The
> idea is that fetchmail gets the mail, passes it to exim4, gets delivered to
> the "AD user mailbox" and then Dovecot serves them via IMAP, where IMAP
> authentication is done against Samba AD via PAM.
>
> This had been working fine with Samba 3.x (since all users where in fact
> Unix users), but since I migrated to 4.x, not that much... The problem
> comes when I want to do this for new AD users. I have successfully
> configured PAM authentication through winbind and it works (new AD users
> can SSH the machine). Dovecot also takes the PAM authentication and works
> fine, but the problem is that PAM returrns the "username" as
> "DOMAIN\username" for Dovecot (I can see this on the logs), so Dovecot
> tries to find the mailbox using that as part of the path. On the other
> hand, fetchmail (actually the MTA, exim4), locally delivers the mail using
> "username" (without the domain part) as part of the path.
>   
----
    Do you have "winbind use default domain" set to true, by any chance?

    I had problems when that param was set to true.

    If that param is set to true, then you'll be ID'd as DOM\USER
even on the Domain Controller (which isn't how it is on Windows).  With that
param set to false, then "USER" on the DC, == the same user as "DOM\USER"
on client (non-DC) machines.

    I have a similar setup to you in that I have fetchmail delivering mail
to a local user (->user), but when I perform *remote* validation from
a client against the DC, the same domain-account gets listed as
'DC-DOMNAME\USER'.

    Now in dovecot, it uses the name that the user's client passes to them.
So I configure my Win-email client to use a login of "user", and that's
what gets ID'd against PAM (unless you have "winbind use default 
domain=yes").

    The only place that I found that still referenced "Domain\user" was
"ssh" from cygwin.  On windows, if I was logged in on my domain account,
I was DOM\USER, but if I was on my computer-local account, then I was
just "USER" -- USER being relative to the machine you are on.

    I solved that by entries in /etc/passwd:
lw:x:5013:201:L A Walsh, Trust Technologies, tlinx.org:/home/lw:/bin/bash
Bliss\lw:x:5013:201:L A Walsh, Trust Technologies, 
tlinx.org:/home/lw:/bin/bash
BLISS\lw:x:5013:201:L A Walsh, Trust Technologies, 
tlinx.org:/home/lw:/bin/bash

Which usually seems to cover most problems.

The key was the use default dom parm -- that needs to be "no" or you will
be id'd as "DOM\USER" -- always -- even on the DC.

----
As for your idea of always stripping the domain?... um ... when I,
on a client machine, authenticate against Winbind using my DOM account,
that is a different user-id than when I authenticate as the same username
but NOT using my domain account.

I.e. on a client machine,  "user" = 1001 and "dom\user"=5000,
only on the DC does "user" = 5000 = dom\user...

So stripping the dom would cause as many or more problems than it fixes.

Check the "winbind use default domain " in your smb.conf and also for
dovecot -- check that remote users use "<login>" w/o the domain component.

Not sure if this answers your Q or prob, but it sounded like what I've 
experienced.... ;-)

against Winbind and am using a domain account -- it returns a different
account number than when I am use a