[Samba] sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]

Mark Foley mfoley at ohprs.org
Thu Jul 21 14:48:40 UTC 2016 

> Date: Thu, 21 Jul 2016 08:56:54 +0100
> From: Rowland penny <rpenny at samba.org>
> On 21/07/16 06:08, Mark Foley wrote:
> > OK! I deleted the /etc/passwd entry for user mark and I modified my /etc/nsswitch.conf to:
> >
> > passwd: compat winbind
> > group: compat winbind
> >
> > I couldn't get sendmail working with this at first -- I didn't know what to [re]start to get
> > the new nsswitch config to take, so I rebooted. Probably I just had to restart sendmail, but oh
> > well.
> >
> > And, it started working ... sort of. Email to that user was delivered OK; meaning
> > sendmail/procmail were able to find the right IMAP folder to deliver mail.
> >
> > However, email from that sender is not working and I'm sure one of you geniuses can set me
> > straight. Here's my getent before deleting the /etc/passwd entry and before nsswitch changes:
> >
> > $ getent passwd mark
> > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> >
> > ... and after the changes:
> >
> > $ getent passwd mark
> > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false
>
> OK, you are running into one of the problems of using a DC as a 
> fileserver here, the only RFC2307 attributes used from AD are 
> 'uidNumber' & 'gidNumber'. You can get around the users home placement 
> and shell with a couple of lines in smb.conf:
>
>          template homedir = /home/%U
>          template shell = /bin/bash
>
> Restart Samba
>
> There is another line, which works on a domain member:
>
>      winbind use default domain = yes
>
> This (on a domain member) removes the NetBIOS domain name, but it 
> doesn't seem to work on an AD DC.
>
> Rowland

Actually, the homedir is fine, though that's a good setting to know.  I did add the "template
shell" and that worked, but I don't really care about the shell (yet) since this is not a
computer people log onto. 

Anyway, the problem is that getent is apparently returning HPRS\mark as the user to sendmail,
and sendmail is constructing the outgoing email address as HPRS\mark at ohprs.org -- which is bad. 

I already have "winbind use default domain = yes". 

Maybe I need a rewrite rule in sendmail.

btw - I've changed the subject line. This is not about gssapi/kerberos.

--Mark

> >
> > See the difference? And here are a few mail log messages:
> >
> > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ohprs.org using -r
> > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... User address required
> > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: from="HPRS\\\\mark",
> >
> > Notice that it is now getting the userID as "HPRS\mark", i.e. domain\user, and the from address
> > ends up being HPRS\mark at ohprs.org, which sendmail is not handling well.
> >
> > Any ideas how to fix that?
> >
> > I'll check with the sendmail people also.
> >
> > Almost there! When I get this sorted out, I can remove my AD users from /etc/passwd which
> > should make Roland happy!
> >
> > --Mark
> >
> >

More information about the samba mailing list