[Samba] sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]

Data Control Systems - Mike Elkevizth mike at datacontrolsystems.com
Thu Jul 21 16:30:19 UTC 2016 

Hi Mark,

I've had the same trouble with the DOMAIN\user on my DCs, and as Rowland
has already pointed out, the "winbind use default domain = yes" configure
option is not honored on a DC.  My guess is that is because a Samba DC can
only be a DC for one domain, so that is why it isn't honored.  If I do
"getent passwd username" on my DCs, they all return
"DOMAIN\username:*:uidNumber:gidNumber:User
Name:/home/DOMAIN/username:/login/shell" which is the same thing as "getent
passwd 'DOMAIN\username'" returns.  So you can probably change the
configuration of sendmail to drop the "DOMAIN\" from the start of the
username, although I'm not sure how to do that.  The other option would be
to not use winbind, and to instead use sssd.  I've not tried this on a DC,
but I can't see why it wouldn't work.  You would have to remove winbind
from your nsswitch config and add the sssd entries.  Mine looks like this
on my domain members:


# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat sss
group:          compat sss
shadow:         compat sss
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files sss

ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss


My /etc/sssd/sssd.conf looks like this:


[sssd]
services = nss, pam
config_file_version = 2
domains = AD.REALM

[domain/AD.REALM]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

# Set to false if you want to use POSIX UIDs and GIDs set on the AD side
ldap_id_mapping = False

# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
enumerate = true

# Allow offline logins by locally storing password hashes (default: false).
#cache_credentials = true


This might be easier than trying to change the sendmail configuration or
figuring out the "the idiosyncrasies in the winbindd configuration on the
Active Directory Domain Controller" as described on the Samba wiki
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction

Mike E.


On Thu, Jul 21, 2016 at 10:49 AM Mark Foley <mfoley at ohprs.org> wrote:

> > Date: Thu, 21 Jul 2016 08:56:54 +0100
> > From: Rowland penny <rpenny at samba.org>
> > On 21/07/16 06:08, Mark Foley wrote:
> > > OK! I deleted the /etc/passwd entry for user mark and I modified my
> /etc/nsswitch.conf to:
> > >
> > > passwd: compat winbind
> > > group: compat winbind
> > >
> > > I couldn't get sendmail working with this at first -- I didn't know
> what to [re]start to get
> > > the new nsswitch config to take, so I rebooted. Probably I just had to
> restart sendmail, but oh
> > > well.
> > >
> > > And, it started working ... sort of. Email to that user was delivered
> OK; meaning
> > > sendmail/procmail were able to find the right IMAP folder to deliver
> mail.
> > >
> > > However, email from that sender is not working and I'm sure one of you
> geniuses can set me
> > > straight. Here's my getent before deleting the /etc/passwd entry and
> before nsswitch changes:
> > >
> > > $ getent passwd mark
> > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> > >
> > > ... and after the changes:
> > >
> > > $ getent passwd mark
> > > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false
> >
> > OK, you are running into one of the problems of using a DC as a
> > fileserver here, the only RFC2307 attributes used from AD are
> > 'uidNumber' & 'gidNumber'. You can get around the users home placement
> > and shell with a couple of lines in smb.conf:
> >
> >          template homedir = /home/%U
> >          template shell = /bin/bash
> >
> > Restart Samba
> >
> > There is another line, which works on a domain member:
> >
> >      winbind use default domain = yes
> >
> > This (on a domain member) removes the NetBIOS domain name, but it
> > doesn't seem to work on an AD DC.
> >
> > Rowland
>
> Actually, the homedir is fine, though that's a good setting to know.  I
> did add the "template
> shell" and that worked, but I don't really care about the shell (yet)
> since this is not a
> computer people log onto.
>
> Anyway, the problem is that getent is apparently returning HPRS\mark as
> the user to sendmail,
> and sendmail is constructing the outgoing email address as HPRS\
> mark at ohprs.org -- which is bad.
>
> I already have "winbind use default domain = yes".
>
> Maybe I need a rewrite rule in sendmail.
>
> btw - I've changed the subject line. This is not about gssapi/kerberos.
>
> --Mark
>
> > >
> > > See the difference? And here are a few mail log messages:
> > >
> > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @
> ohprs.org using -r
> > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org...
> User address required
> > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> from="HPRS\\\\mark",
> > >
> > > Notice that it is now getting the userID as "HPRS\mark", i.e.
> domain\user, and the from address
> > > ends up being HPRS\mark at ohprs.org, which sendmail is not handling
> well.
> > >
> > > Any ideas how to fix that?
> > >
> > > I'll check with the sendmail people also.
> > >
> > > Almost there! When I get this sorted out, I can remove my AD users
> from /etc/passwd which
> > > should make Roland happy!
> > >
> > > --Mark
> > >
> > >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list