[Samba] sendmail getting domain\user as email userId

Mark Foley mfoley at ohprs.org
Mon Jul 25 14:22:43 UTC 2016 

Mike,

If the DC returns "DOMAIN\username", but domain members (correctly?) return just "username", is
this a bug in the DC? Is there some reason the DC essentially ignores the "winbind use default
domain = yes" and returns DOMAIN\username? It would seem to me that sendmail would not be the
only program stumbling on this. 

--Mark

-----Original Message-----
> From: Data Control Systems - Mike Elkevizth <mike at datacontrolsystems.com>
> Date: Thu, 21 Jul 2016 12:30:19 -0400
> Subject: Re: [Samba] sendmail getting domain\user as email userId [formerly:
>  How to GSSAPI/Kerberos authenticate with Dovecot]
> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
>
> Hi Mark,
>
> I've had the same trouble with the DOMAIN\user on my DCs, and as Rowland
> has already pointed out, the "winbind use default domain = yes" configure
> option is not honored on a DC.  My guess is that is because a Samba DC can
> only be a DC for one domain, so that is why it isn't honored.  If I do
> "getent passwd username" on my DCs, they all return
> "DOMAIN\username:*:uidNumber:gidNumber:User
> Name:/home/DOMAIN/username:/login/shell" which is the same thing as "getent
> passwd 'DOMAIN\username'" returns.  So you can probably change the
> configuration of sendmail to drop the "DOMAIN\" from the start of the
> username, although I'm not sure how to do that.  The other option would be
> to not use winbind, and to instead use sssd.  I've not tried this on a DC,
> but I can't see why it wouldn't work.  You would have to remove winbind
> from your nsswitch config and add the sssd entries.  Mine looks like this
> on my domain members:
>
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         compat sss
> group:          compat sss
> shadow:         compat sss
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files sss
>
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis sss
> sudoers:        files sss
>
>
> My /etc/sssd/sssd.conf looks like this:
>
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = AD.REALM
>
> [domain/AD.REALM]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
>
> # Set to false if you want to use POSIX UIDs and GIDs set on the AD side
> ldap_id_mapping = False
>
> # Note that enabling enumeration will have a moderate performance impact.
> # Consequently, the default value for enumeration is FALSE.
> # Refer to the sssd.conf man page for full details.
> enumerate = true
>
> # Allow offline logins by locally storing password hashes (default: false).
> #cache_credentials = true
>
>
> This might be easier than trying to change the sendmail configuration or
> figuring out the "the idiosyncrasies in the winbindd configuration on the
> Active Directory Domain Controller" as described on the Samba wiki
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction
>
> Mike E.
>
>
> On Thu, Jul 21, 2016 at 10:49 AM Mark Foley <mfoley at ohprs.org> wrote:
>
> > > Date: Thu, 21 Jul 2016 08:56:54 +0100
> > > From: Rowland penny <rpenny at samba.org>
> > > On 21/07/16 06:08, Mark Foley wrote:
> > > > OK! I deleted the /etc/passwd entry for user mark and I modified my
> > /etc/nsswitch.conf to:
> > > >
> > > > passwd: compat winbind
> > > > group: compat winbind
> > > >
> > > > I couldn't get sendmail working with this at first -- I didn't know
> > what to [re]start to get
> > > > the new nsswitch config to take, so I rebooted. Probably I just had to
> > restart sendmail, but oh
> > > > well.
> > > >
> > > > And, it started working ... sort of. Email to that user was delivered
> > OK; meaning
> > > > sendmail/procmail were able to find the right IMAP folder to deliver
> > mail.
> > > >
> > > > However, email from that sender is not working and I'm sure one of you
> > geniuses can set me
> > > > straight. Here's my getent before deleting the /etc/passwd entry and
> > before nsswitch changes:
> > > >
> > > > $ getent passwd mark
> > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> > > >
> > > > ... and after the changes:
> > > >
> > > > $ getent passwd mark
> > > > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false
> > >
> > > OK, you are running into one of the problems of using a DC as a
> > > fileserver here, the only RFC2307 attributes used from AD are
> > > 'uidNumber' & 'gidNumber'. You can get around the users home placement
> > > and shell with a couple of lines in smb.conf:
> > >
> > >          template homedir = /home/%U
> > >          template shell = /bin/bash
> > >
> > > Restart Samba
> > >
> > > There is another line, which works on a domain member:
> > >
> > >      winbind use default domain = yes
> > >
> > > This (on a domain member) removes the NetBIOS domain name, but it
> > > doesn't seem to work on an AD DC.
> > >
> > > Rowland
> >
> > Actually, the homedir is fine, though that's a good setting to know.  I
> > did add the "template
> > shell" and that worked, but I don't really care about the shell (yet)
> > since this is not a
> > computer people log onto.
> >
> > Anyway, the problem is that getent is apparently returning HPRS\mark as
> > the user to sendmail,
> > and sendmail is constructing the outgoing email address as HPRS\
> > mark at ohprs.org -- which is bad.
> >
> > I already have "winbind use default domain = yes".
> >
> > Maybe I need a rewrite rule in sendmail.
> >
> > btw - I've changed the subject line. This is not about gssapi/kerberos.
> >
> > --Mark
> >
> > > >
> > > > See the difference? And here are a few mail log messages:
> > > >
> > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> > Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @
> > ohprs.org using -r
> > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org...
> > User address required
> > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> > from="HPRS\\\\mark",
> > > >
> > > > Notice that it is now getting the userID as "HPRS\mark", i.e.
> > domain\user, and the from address
> > > > ends up being HPRS\mark at ohprs.org, which sendmail is not handling
> > well.
> > > >
> > > > Any ideas how to fix that?
> > > >
> > > > I'll check with the sendmail people also.
> > > >
> > > > Almost there! When I get this sorted out, I can remove my AD users
> > from /etc/passwd which
> > > > should make Roland happy!
> > > >
> > > > --Mark
> > > >
> > > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list