[Samba] sendmail getting domain\user as email userId

Mark Foley mfoley at ohprs.org
Mon Jul 25 14:35:21 UTC 2016


Dewayne,

Thanks a lot for this patch. I'll hang on to it any probably do some experimenting on the side.
The problem with this approach is that our AD/DC/Mail-server is in an office and I have to be
concerned about future sysadmins as well as future sendmail updates. I am very reluctant to
patch OS software, especially if other solutions are available.

At worst, I can drop back and remove winbind from nsswitch.conf on the AD and put the user back
in /etc/passwd. That's how I've been running for nearly 2 years and it's worked just fine. I
was hoping to eliminate dual-entries for users in AD and passwd, but that's easier for someone
to sort out than a patch.

What I'd really like is a sendmail rule that would simply strip the "HPRS\" bit off the front
of the username token. It seems like a rather simple rule (if there are such things in
sendmail!), but I've found nothing so far and no feedback from expert sites. I could put this
rule in my .mc file so it would be both documented and be independent of sendmail program updates.

I subscribed to the sendmail-announce at lists.sendmail.org maillist but the moderator hasn't even
"approved" my initial post yet. It might be a dead list.

Any ideas on resources for this?

--Mark

-----Original Message-----
> From: Dewayne Geraghty <dewaynegeraghty at gmail.com>
> Date: Sat, 23 Jul 2016 18:39:32 +1000
> Subject: Re: [Samba] sendmail getting domain\user as email userId [formerly:
>  How to GSSAPI/Kerberos authenticate with Dovecot]
> To: Mark Foley <mfoley at ohprs.org>
>
> Mark,
> We've had this problem with sendmail in 2014.  A friend John Marshall
> addressed this on FreeBSD.  I've included a patch that may assist.  The
> patch applies cleanly, though with the cut/paste between my ssh session and
> this windows client, the spacing may be incorrect.
>
> This is a known to sendmail bug, but they were unprepared to rectify.
>
> --- sendmail/srvrsmtp.c.orig    2013-11-23 07:51:56.000000000 +1100
> +++ sendmail/srvrsmtp.c 2014-01-27 17:26:30.000000000 +1100
> @@ -84,7 +84,7 @@
>  # define RESET_SASLCONN        \
>         do                                                      \
>         {                                                       \
> -               result = reset_saslconn(&conn, AuthRealm, remoteip, \
> +               result = reset_saslconn(&conn, hostname, remoteip, \
>                                         localip, auth_id, &ext_ssf); \
>                 if (result != SASL_OK)                          \
>                         sasl_ok = false;                        \
> @@ -761,8 +761,8 @@
>         if (sasl_ok)
>         {
>  # if SASL >= 20000
> -               result = sasl_server_new("smtp", AuthRealm, NULL, NULL,
> NULL,
> -                                        NULL, 0, &conn);
> +               result = sasl_server_new("smtp", hostname, AuthRealm, NULL,
> +                                        NULL, NULL, 0, &conn);
>  # elif SASL > 10505
>                 /* use empty realm: only works in SASL > 1.5.5 */
>                 result = sasl_server_new("smtp", AuthRealm, "", NULL, 0,
> &conn);
> @@ -5027,7 +5027,7 @@
>
>         sasl_dispose(conn);
>  # if SASL >= 20000
> -       result = sasl_server_new("smtp", hostname, NULL, NULL, NULL,
> +       result = sasl_server_new("smtp", hostname, AuthRealm, NULL, NULL,
>                                  NULL, 0, conn);
>  # elif SASL > 10505
>         /* use empty realm: only works in SASL > 1.5.5 */
>
>
> On 22 July 2016 at 06:32, Mark Foley <mfoley at ohprs.org> wrote:
>
> > Thanks Mike. I'll investigate ssd although it shouldn't be too hard to
> > have sendmail rewrite
> > the userID to remove the domain. I'm investigating this now and will post
> > results.
> >
> > --Mark
> >
> > -----Original Message-----
> > > From: Data Control Systems - Mike Elkevizth <mike at datacontrolsystems.com
> > >
> > > Date: Thu, 21 Jul 2016 12:30:19 -0400
> > > Subject: Re: [Samba] sendmail getting domain\user as email userId
> > [formerly:
> > >  How to GSSAPI/Kerberos authenticate with Dovecot]
> > > To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
> > >
> > > Hi Mark,
> > >
> > > I've had the same trouble with the DOMAIN\user on my DCs, and as Rowland
> > > has already pointed out, the "winbind use default domain = yes" configure
> > > option is not honored on a DC.  My guess is that is because a Samba DC
> > can
> > > only be a DC for one domain, so that is why it isn't honored.  If I do
> > > "getent passwd username" on my DCs, they all return
> > > "DOMAIN\username:*:uidNumber:gidNumber:User
> > > Name:/home/DOMAIN/username:/login/shell" which is the same thing as
> > "getent
> > > passwd 'DOMAIN\username'" returns.  So you can probably change the
> > > configuration of sendmail to drop the "DOMAIN\" from the start of the
> > > username, although I'm not sure how to do that.  The other option would
> > be
> > > to not use winbind, and to instead use sssd.  I've not tried this on a
> > DC,
> > > but I can't see why it wouldn't work.  You would have to remove winbind
> > > from your nsswitch config and add the sssd entries.  Mine looks like this
> > > on my domain members:
> > >
> > >
> > > # /etc/nsswitch.conf
> > > #
> > > # Example configuration of GNU Name Service Switch functionality.
> > > # If you have the `glibc-doc-reference' and `info' packages installed,
> > try:
> > > # `info libc "Name Service Switch"' for information about this file.
> > >
> > > passwd:         compat sss
> > > group:          compat sss
> > > shadow:         compat sss
> > > gshadow:        files
> > >
> > > hosts:          files dns
> > > networks:       files
> > >
> > > protocols:      db files
> > > services:       db files sss
> > >
> > > ethers:         db files
> > > rpc:            db files
> > >
> > > netgroup:       nis sss
> > > sudoers:        files sss
> > >
> > >
> > > My /etc/sssd/sssd.conf looks like this:
> > >
> > >
> > > [sssd]
> > > services = nss, pam
> > > config_file_version = 2
> > > domains = AD.REALM
> > >
> > > [domain/AD.REALM]
> > > id_provider = ad
> > > auth_provider = ad
> > > access_provider = ad
> > > chpass_provider = ad
> > >
> > > # Set to false if you want to use POSIX UIDs and GIDs set on the AD side
> > > ldap_id_mapping = False
> > >
> > > # Note that enabling enumeration will have a moderate performance impact.
> > > # Consequently, the default value for enumeration is FALSE.
> > > # Refer to the sssd.conf man page for full details.
> > > enumerate = true
> > >
> > > # Allow offline logins by locally storing password hashes (default:
> > false).
> > > #cache_credentials = true
> > >
> > >
> > > This might be easier than trying to change the sendmail configuration or
> > > figuring out the "the idiosyncrasies in the winbindd configuration on the
> > > Active Directory Domain Controller" as described on the Samba wiki
> > >
> > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction
> > >
> > > Mike E.
> > >
> > >
> > > On Thu, Jul 21, 2016 at 10:49 AM Mark Foley <mfoley at ohprs.org> wrote:
> > >
> > > > > Date: Thu, 21 Jul 2016 08:56:54 +0100
> > > > > From: Rowland penny <rpenny at samba.org>
> > > > > On 21/07/16 06:08, Mark Foley wrote:
> > > > > > OK! I deleted the /etc/passwd entry for user mark and I modified my
> > > > /etc/nsswitch.conf to:
> > > > > >
> > > > > > passwd: compat winbind
> > > > > > group: compat winbind
> > > > > >
> > > > > > I couldn't get sendmail working with this at first -- I didn't know
> > > > what to [re]start to get
> > > > > > the new nsswitch config to take, so I rebooted. Probably I just
> > had to
> > > > restart sendmail, but oh
> > > > > > well.
> > > > > >
> > > > > > And, it started working ... sort of. Email to that user was
> > delivered
> > > > OK; meaning
> > > > > > sendmail/procmail were able to find the right IMAP folder to
> > deliver
> > > > mail.
> > > > > >
> > > > > > However, email from that sender is not working and I'm sure one of
> > you
> > > > geniuses can set me
> > > > > > straight. Here's my getent before deleting the /etc/passwd entry
> > and
> > > > before nsswitch changes:
> > > > > >
> > > > > > $ getent passwd mark
> > > > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> > > > > >
> > > > > > ... and after the changes:
> > > > > >
> > > > > > $ getent passwd mark
> > > > > > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false
> > > > >
> > > > > OK, you are running into one of the problems of using a DC as a
> > > > > fileserver here, the only RFC2307 attributes used from AD are
> > > > > 'uidNumber' & 'gidNumber'. You can get around the users home
> > placement
> > > > > and shell with a couple of lines in smb.conf:
> > > > >
> > > > >          template homedir = /home/%U
> > > > >          template shell = /bin/bash
> > > > >
> > > > > Restart Samba
> > > > >
> > > > > There is another line, which works on a domain member:
> > > > >
> > > > >      winbind use default domain = yes
> > > > >
> > > > > This (on a domain member) removes the NetBIOS domain name, but it
> > > > > doesn't seem to work on an AD DC.
> > > > >
> > > > > Rowland
> > > >
> > > > Actually, the homedir is fine, though that's a good setting to know.  I
> > > > did add the "template
> > > > shell" and that worked, but I don't really care about the shell (yet)
> > > > since this is not a
> > > > computer people log onto.
> > > >
> > > > Anyway, the problem is that getent is apparently returning HPRS\mark as
> > > > the user to sendmail,
> > > > and sendmail is constructing the outgoing email address as HPRS\
> > > > mark at ohprs.org -- which is bad.
> > > >
> > > > I already have "winbind use default domain = yes".
> > > >
> > > > Maybe I need a rewrite rule in sendmail.
> > > >
> > > > btw - I've changed the subject line. This is not about gssapi/kerberos.
> > > >
> > > > --Mark
> > > >
> > > > > >
> > > > > > See the difference? And here are a few mail log messages:
> > > > > >
> > > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> > > > Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @
> > > > ohprs.org using -r
> > > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org...
> > > > User address required
> > > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> > > > from="HPRS\\\\mark",
> > > > > >
> > > > > > Notice that it is now getting the userID as "HPRS\mark", i.e.
> > > > domain\user, and the from address
> > > > > > ends up being HPRS\mark at ohprs.org, which sendmail is not handling
> > > > well.
> > > > > >
> > > > > > Any ideas how to fix that?
> > > > > >
> > > > > > I'll check with the sendmail people also.
> > > > > >
> > > > > > Almost there! When I get this sorted out, I can remove my AD users
> > > > from /etc/passwd which
> > > > > > should make Roland happy!
> > > > > >
> > > > > > --Mark
> > > > > >
> > > > > >
> > > >
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
>
> -- 
> *Disclaimer:*
>
>
>
> *As implied by email protocols, the information in this message is not
> confidential. Any intermediary or recipient may inspect, modify (add),
> copy, forward, reply to, delete, or filter email for any purpose unless
> said parties are otherwise obligated.  Nothing in this message may be
> legally binding without cryptographic evidence of its integrity and/or
> confidentiality.*




More information about the samba mailing list