[Samba] sendmail getting domain\user as email userId

Mark Foley mfoley at ohprs.org
Tue Jul 26 20:43:57 UTC 2016 

Well, ladies and gentlemen -- it's now working! Sendmail *is* authenticating with the
nsswitch.conf settings (winbind added):

passwd:         compat winbind
shadow:         compat winbind
group:          compat winbind

and with the AD user REMOVED from /etc/passwd. All is well. I did nothing, no patching of
sendmail, no username rewrite rule in sendmail.[mc|cf]. 

I can't really explain what changed. Perhaps restarting sendmail and/or samba? I don't
remember. I didn't reboot, but samba is automatically stopped/started during a wee-hours daily
backup and is also restarted weekly by logrotate. I did modify /etc/mail/aliases for unrelated
reasons and restarted sendmail thereafter.

I'm guessing that restarting one or both of these programs did the trick. I should follow my
own advice to my users: try rebooting first! It solves a world of problems.

So, Mr.  Penny, you will be pleased to know that henceforth I WILL NOT have AD users also in
/etc/passwd (well, except for 2 Outlook stragglers for whom I've not yet figured out how to
dovecot NTLM authenticate ... working on it; unless I can get them to switch the Thunderbird
first!). 

I've not checked the documentation, but I would suggest adding the winbind settings to the docs
for the AD/DC setup wiki, if missing.  You explictly gave me those settings for configuring a
domain member for single-sign-on last year, and I believe you incorporated that info into the
domain member wiki. 

Being able to authenticate *on* the AC/DC does not necessarily imply its use as a file server.
Programs should be able to authenticate when running on the AC/DC.

Thanks!!! --Mark

-----Original Message-----
> To: samba at lists.samba.org
> From: Rowland penny <rpenny at samba.org>
> Date: Mon, 25 Jul 2016 16:59:36 +0100
> Subject: Re: [Samba] sendmail getting domain\user as email userId
>
> On 25/07/16 16:31, Data Control Systems - Mike Elkevizth wrote:
> > Hi Mark,
> >
> > I'm not sure why a DC ignores the "winbind use default domain = yes"
> > setting.  Its not the only setting that a DC ignores and the only real hint
> > of DCs acting weird is the line in the introduction of the wiki about
> > setting Samba up as a DC that calls these "idiosyncrasies in the winbindd
> > configuration on the Active Directory Domain Controller."  Since it seems
> > to be a well known issue, I haven't ever filed a bug report against it.
> > I'm guessing the Samba devs have a reason for these "idiosyncrasies", but
> > maybe it would be worth filing a bug report and that may shed some more
> > light on why it is, or has to be.
>
> There is already a bug report for this: 
> https://bugzilla.samba.org/show_bug.cgi?id=9780
>
> >
> > Being a lowly system admin, I just try to work around the issues I run
> > into, and that's why I suggested using sssd instead of winbind for the user
> > enumeration.  It (sssd) does drop the domain from the username (at least on
> > a member server it does) and so I think it would work for your situation.
>
> This is the only reason I can think of for using sssd.
>
> >
> > Maybe one of the Samba devs can chime in on the "why" things seem to be so
> > different for a DC.?
>
> It is just a lack time and, sorry to say, this isn't a priority.
>
> Rowland
>
> > Mike E.
> >
> >
> >
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list