[Samba] Suppressing DOMAIN on AD-DC Machine

Nick Piggott nick at piggott.eu
Wed May 27 16:37:19 UTC 2020 

Hello,

Thanks Andrew, and to everyone else who made suggestions.

I can understand the rationale behind not enabling default domain on the
AD-DC, or running the AD-DC or postfix in a separate VM, but it makes a
system more complex to deploy and maintain, particularly in small business
environments.

In this situation, I've decided to use postfix address rewrites and
hardlinks between mailbox files to work around the issue.

Thanks again for your responses,


Nick


On Tue, 26 May 2020 at 23:31, Andrew Bartlett <abartlet at samba.org> wrote:

> On Tue, 2020-05-26 at 18:32 +0100, Nick Piggott via samba wrote:
> > Hello,
> >
> > Here's my setup:
> > * Ubuntu 18.04 LTS
> > * Samba 4.7.6
> > * Active Directory (provided by Samba)
> > * Postfix 3.3.0
> > * Mailutils 3.4
> >
> > On this machine, my AD usernames are showing in the format
> > DOMAIN\username
> >
> > All the machines in the AD have a directive in their
> > /etc/samba/smb.conf
> > file
> > winbind use default domain = yes
> > however this doesn't work on this machine acting as the AD-DC, and
> > looking
> > through the mailing list, this is by design, and unlikely to change.
> > (It
> > does work on the workstations where users are just shown as their
> > username).
> >
> > Having the format DOMAIN\username is making using Postfix / Mailutils
> > very
> > difficult. Originating emails ("From: DOMAIN\username at domain.com")
> > are
> > being rejected by mail relays, and case folding on Postfix means I
> > end up
> > with two mail files for each user in /var/mail (DOMAIN\username and
> > domain\username).
> >
> > Is there any way to suppress the DOMAIN section of a username on the
> > AD-DC
> > machine? Or an alternative approach to fixing this issue. (I've
> > looked at
> > re-writing in Postfix, and it's ugly).
>
> This is what the "winbind use default domain" option is for.
>
> I'm sorry it isn't working on the AD DC.  While written for exactly
> this purpose, and while popular with administrators it was horribly
> unpopular with my fellow developers so the use cases have not been
> extended.
>
> My best suggestion is a member server.  This helps split up the roles
> better anyway and makes it easier to upgrade the AD DC independently.
>
> Sorry,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       https://samba.org/~abartlet/
> Authentication Developer, Samba Team  https://samba.org
> Samba Developer, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>

-- 
Nick

More information about the samba mailing list