[Samba] sendmail getting domain\user as email userId

Data Control Systems - Mike Elkevizth mike at datacontrolsystems.com
Mon Jul 25 15:31:31 UTC 2016 

Hi Mark,

I'm not sure why a DC ignores the "winbind use default domain = yes"
setting.  Its not the only setting that a DC ignores and the only real hint
of DCs acting weird is the line in the introduction of the wiki about
setting Samba up as a DC that calls these "idiosyncrasies in the winbindd
configuration on the Active Directory Domain Controller."  Since it seems
to be a well known issue, I haven't ever filed a bug report against it.
I'm guessing the Samba devs have a reason for these "idiosyncrasies", but
maybe it would be worth filing a bug report and that may shed some more
light on why it is, or has to be.

Being a lowly system admin, I just try to work around the issues I run
into, and that's why I suggested using sssd instead of winbind for the user
enumeration.  It (sssd) does drop the domain from the username (at least on
a member server it does) and so I think it would work for your situation.

Maybe one of the Samba devs can chime in on the "why" things seem to be so
different for a DC.?

Mike E.


On Mon, Jul 25, 2016 at 10:22 AM, Mark Foley <mfoley at ohprs.org> wrote:

> Mike,
>
> If the DC returns "DOMAIN\username", but domain members (correctly?)
> return just "username", is
> this a bug in the DC? Is there some reason the DC essentially ignores the
> "winbind use default
> domain = yes" and returns DOMAIN\username? It would seem to me that
> sendmail would not be the
> only program stumbling on this.
>
> --Mark
>
> -----Original Message-----
> > From: Data Control Systems - Mike Elkevizth <mike at datacontrolsystems.com
> >
> > Date: Thu, 21 Jul 2016 12:30:19 -0400
> > Subject: Re: [Samba] sendmail getting domain\user as email userId
> [formerly:
> >  How to GSSAPI/Kerberos authenticate with Dovecot]
> > To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
> >
> > Hi Mark,
> >
> > I've had the same trouble with the DOMAIN\user on my DCs, and as Rowland
> > has already pointed out, the "winbind use default domain = yes" configure
> > option is not honored on a DC.  My guess is that is because a Samba DC
> can
> > only be a DC for one domain, so that is why it isn't honored.  If I do
> > "getent passwd username" on my DCs, they all return
> > "DOMAIN\username:*:uidNumber:gidNumber:User
> > Name:/home/DOMAIN/username:/login/shell" which is the same thing as
> "getent
> > passwd 'DOMAIN\username'" returns.  So you can probably change the
> > configuration of sendmail to drop the "DOMAIN\" from the start of the
> > username, although I'm not sure how to do that.  The other option would
> be
> > to not use winbind, and to instead use sssd.  I've not tried this on a
> DC,
> > but I can't see why it wouldn't work.  You would have to remove winbind
> > from your nsswitch config and add the sssd entries.  Mine looks like this
> > on my domain members:
> >
> >
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> > # `info libc "Name Service Switch"' for information about this file.
> >
> > passwd:         compat sss
> > group:          compat sss
> > shadow:         compat sss
> > gshadow:        files
> >
> > hosts:          files dns
> > networks:       files
> >
> > protocols:      db files
> > services:       db files sss
> >
> > ethers:         db files
> > rpc:            db files
> >
> > netgroup:       nis sss
> > sudoers:        files sss
> >
> >
> > My /etc/sssd/sssd.conf looks like this:
> >
> >
> > [sssd]
> > services = nss, pam
> > config_file_version = 2
> > domains = AD.REALM
> >
> > [domain/AD.REALM]
> > id_provider = ad
> > auth_provider = ad
> > access_provider = ad
> > chpass_provider = ad
> >
> > # Set to false if you want to use POSIX UIDs and GIDs set on the AD side
> > ldap_id_mapping = False
> >
> > # Note that enabling enumeration will have a moderate performance impact.
> > # Consequently, the default value for enumeration is FALSE.
> > # Refer to the sssd.conf man page for full details.
> > enumerate = true
> >
> > # Allow offline logins by locally storing password hashes (default:
> false).
> > #cache_credentials = true
> >
> >
> > This might be easier than trying to change the sendmail configuration or
> > figuring out the "the idiosyncrasies in the winbindd configuration on the
> > Active Directory Domain Controller" as described on the Samba wiki
> >
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction
> >
> > Mike E.
> >
> >
> > On Thu, Jul 21, 2016 at 10:49 AM Mark Foley <mfoley at ohprs.org> wrote:
> >
> > > > Date: Thu, 21 Jul 2016 08:56:54 +0100
> > > > From: Rowland penny <rpenny at samba.org>
> > > > On 21/07/16 06:08, Mark Foley wrote:
> > > > > OK! I deleted the /etc/passwd entry for user mark and I modified my
> > > /etc/nsswitch.conf to:
> > > > >
> > > > > passwd: compat winbind
> > > > > group: compat winbind
> > > > >
> > > > > I couldn't get sendmail working with this at first -- I didn't know
> > > what to [re]start to get
> > > > > the new nsswitch config to take, so I rebooted. Probably I just
> had to
> > > restart sendmail, but oh
> > > > > well.
> > > > >
> > > > > And, it started working ... sort of. Email to that user was
> delivered
> > > OK; meaning
> > > > > sendmail/procmail were able to find the right IMAP folder to
> deliver
> > > mail.
> > > > >
> > > > > However, email from that sender is not working and I'm sure one of
> you
> > > geniuses can set me
> > > > > straight. Here's my getent before deleting the /etc/passwd entry
> and
> > > before nsswitch changes:
> > > > >
> > > > > $ getent passwd mark
> > > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> > > > >
> > > > > ... and after the changes:
> > > > >
> > > > > $ getent passwd mark
> > > > > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false
> > > >
> > > > OK, you are running into one of the problems of using a DC as a
> > > > fileserver here, the only RFC2307 attributes used from AD are
> > > > 'uidNumber' & 'gidNumber'. You can get around the users home
> placement
> > > > and shell with a couple of lines in smb.conf:
> > > >
> > > >          template homedir = /home/%U
> > > >          template shell = /bin/bash
> > > >
> > > > Restart Samba
> > > >
> > > > There is another line, which works on a domain member:
> > > >
> > > >      winbind use default domain = yes
> > > >
> > > > This (on a domain member) removes the NetBIOS domain name, but it
> > > > doesn't seem to work on an AD DC.
> > > >
> > > > Rowland
> > >
> > > Actually, the homedir is fine, though that's a good setting to know.  I
> > > did add the "template
> > > shell" and that worked, but I don't really care about the shell (yet)
> > > since this is not a
> > > computer people log onto.
> > >
> > > Anyway, the problem is that getent is apparently returning HPRS\mark as
> > > the user to sendmail,
> > > and sendmail is constructing the outgoing email address as HPRS\
> > > mark at ohprs.org -- which is bad.
> > >
> > > I already have "winbind use default domain = yes".
> > >
> > > Maybe I need a rewrite rule in sendmail.
> > >
> > > btw - I've changed the subject line. This is not about gssapi/kerberos.
> > >
> > > --Mark
> > >
> > > > >
> > > > > See the difference? And here are a few mail log messages:
> > > > >
> > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> > > Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @
> > > ohprs.org using -r
> > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org...
> > > User address required
> > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> > > from="HPRS\\\\mark",
> > > > >
> > > > > Notice that it is now getting the userID as "HPRS\mark", i.e.
> > > domain\user, and the from address
> > > > > ends up being HPRS\mark at ohprs.org, which sendmail is not handling
> > > well.
> > > > >
> > > > > Any ideas how to fix that?
> > > > >
> > > > > I'll check with the sendmail people also.
> > > > >
> > > > > Almost there! When I get this sorted out, I can remove my AD users
> > > from /etc/passwd which
> > > > > should make Roland happy!
> > > > >
> > > > > --Mark
> > > > >
> > > > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list