[Samba] sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]

Mark Foley mfoley at ohprs.org
Thu Jul 21 20:32:27 UTC 2016 

Thanks Mike. I'll investigate ssd although it shouldn't be too hard to have sendmail rewrite
the userID to remove the domain. I'm investigating this now and will post results.

--Mark

-----Original Message-----
> From: Data Control Systems - Mike Elkevizth <mike at datacontrolsystems.com>
> Date: Thu, 21 Jul 2016 12:30:19 -0400
> Subject: Re: [Samba] sendmail getting domain\user as email userId [formerly:
>  How to GSSAPI/Kerberos authenticate with Dovecot]
> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
>
> Hi Mark,
>
> I've had the same trouble with the DOMAIN\user on my DCs, and as Rowland
> has already pointed out, the "winbind use default domain = yes" configure
> option is not honored on a DC.  My guess is that is because a Samba DC can
> only be a DC for one domain, so that is why it isn't honored.  If I do
> "getent passwd username" on my DCs, they all return
> "DOMAIN\username:*:uidNumber:gidNumber:User
> Name:/home/DOMAIN/username:/login/shell" which is the same thing as "getent
> passwd 'DOMAIN\username'" returns.  So you can probably change the
> configuration of sendmail to drop the "DOMAIN\" from the start of the
> username, although I'm not sure how to do that.  The other option would be
> to not use winbind, and to instead use sssd.  I've not tried this on a DC,
> but I can't see why it wouldn't work.  You would have to remove winbind
> from your nsswitch config and add the sssd entries.  Mine looks like this
> on my domain members:
>
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         compat sss
> group:          compat sss
> shadow:         compat sss
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files sss
>
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis sss
> sudoers:        files sss
>
>
> My /etc/sssd/sssd.conf looks like this:
>
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = AD.REALM
>
> [domain/AD.REALM]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
>
> # Set to false if you want to use POSIX UIDs and GIDs set on the AD side
> ldap_id_mapping = False
>
> # Note that enabling enumeration will have a moderate performance impact.
> # Consequently, the default value for enumeration is FALSE.
> # Refer to the sssd.conf man page for full details.
> enumerate = true
>
> # Allow offline logins by locally storing password hashes (default: false).
> #cache_credentials = true
>
>
> This might be easier than trying to change the sendmail configuration or
> figuring out the "the idiosyncrasies in the winbindd configuration on the
> Active Directory Domain Controller" as described on the Samba wiki
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction
>
> Mike E.
>
>
> On Thu, Jul 21, 2016 at 10:49 AM Mark Foley <mfoley at ohprs.org> wrote:
>
> > > Date: Thu, 21 Jul 2016 08:56:54 +0100
> > > From: Rowland penny <rpenny at samba.org>
> > > On 21/07/16 06:08, Mark Foley wrote:
> > > > OK! I deleted the /etc/passwd entry for user mark and I modified my
> > /etc/nsswitch.conf to:
> > > >
> > > > passwd: compat winbind
> > > > group: compat winbind
> > > >
> > > > I couldn't get sendmail working with this at first -- I didn't know
> > what to [re]start to get
> > > > the new nsswitch config to take, so I rebooted. Probably I just had to
> > restart sendmail, but oh
> > > > well.
> > > >
> > > > And, it started working ... sort of. Email to that user was delivered
> > OK; meaning
> > > > sendmail/procmail were able to find the right IMAP folder to deliver
> > mail.
> > > >
> > > > However, email from that sender is not working and I'm sure one of you
> > geniuses can set me
> > > > straight. Here's my getent before deleting the /etc/passwd entry and
> > before nsswitch changes:
> > > >
> > > > $ getent passwd mark
> > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> > > >
> > > > ... and after the changes:
> > > >
> > > > $ getent passwd mark
> > > > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false
> > >
> > > OK, you are running into one of the problems of using a DC as a
> > > fileserver here, the only RFC2307 attributes used from AD are
> > > 'uidNumber' & 'gidNumber'. You can get around the users home placement
> > > and shell with a couple of lines in smb.conf:
> > >
> > >          template homedir = /home/%U
> > >          template shell = /bin/bash
> > >
> > > Restart Samba
> > >
> > > There is another line, which works on a domain member:
> > >
> > >      winbind use default domain = yes
> > >
> > > This (on a domain member) removes the NetBIOS domain name, but it
> > > doesn't seem to work on an AD DC.
> > >
> > > Rowland
> >
> > Actually, the homedir is fine, though that's a good setting to know.  I
> > did add the "template
> > shell" and that worked, but I don't really care about the shell (yet)
> > since this is not a
> > computer people log onto.
> >
> > Anyway, the problem is that getent is apparently returning HPRS\mark as
> > the user to sendmail,
> > and sendmail is constructing the outgoing email address as HPRS\
> > mark at ohprs.org -- which is bad.
> >
> > I already have "winbind use default domain = yes".
> >
> > Maybe I need a rewrite rule in sendmail.
> >
> > btw - I've changed the subject line. This is not about gssapi/kerberos.
> >
> > --Mark
> >
> > > >
> > > > See the difference? And here are a few mail log messages:
> > > >
> > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> > Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @
> > ohprs.org using -r
> > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org...
> > User address required
> > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> > from="HPRS\\\\mark",
> > > >
> > > > Notice that it is now getting the userID as "HPRS\mark", i.e.
> > domain\user, and the from address
> > > > ends up being HPRS\mark at ohprs.org, which sendmail is not handling
> > well.
> > > >
> > > > Any ideas how to fix that?
> > > >
> > > > I'll check with the sendmail people also.
> > > >
> > > > Almost there! When I get this sorted out, I can remove my AD users
> > from /etc/passwd which
> > > > should make Roland happy!
> > > >
> > > > --Mark
> > > >
> > > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >

More information about the samba mailing list