samba - Aug 2013 - Make Winbind/PAM not return domain part for usernames

Hi! I have a problem involving Samba4, exim4, fetchmail, dovecot and PAM...

I have setup a "maildrop" machine, which fetches mail from an external
POP3
server for multiple accounts and then serves them locally via IMAP. On the
same machine, I am currently running Samba 4.0.9 over Debian Wheezy. The
idea is that fetchmail gets the mail, passes it to exim4, gets delivered to
the "AD user mailbox" and then Dovecot serves them via IMAP, where
IMAP
authentication is done against Samba AD via PAM.

This had been working fine with Samba 3.x (since all users where in fact
Unix users), but since I migrated to 4.x, not that much... The problem
comes when I want to do this for new AD users. I have successfully
configured PAM authentication through winbind and it works (new AD users
can SSH the machine). Dovecot also takes the PAM authentication and works
fine, but the problem is that PAM returrns the "username" as
"DOMAIN\username" for Dovecot (I can see this on the logs), so Dovecot
tries to find the mailbox using that as part of the path. On the other
hand, fetchmail (actually the MTA, exim4), locally delivers the mail using
"username" (without the domain part) as part of the path.

So I end up with fetchmail delivering to, for eg, "/home/mail/foo" and
Dovecot trying to fetch from "/home/mail/MYDOMAIN\foo"

What does this have to do with Samba?? Well, I *believe* that one "quick
and dirty" fix would be to force winbind to always return the AD usernames
without the domain part, by using the "winbind use default domain =
yes"
directive. This is what does not seem to be working. This has already been
reported some time ago (bug
9780<https://bugzilla.samba.org/show_bug.cgi?id=9780>).
Is there any workaround on this??

Any other suggestions? I can think of several workarounds that are actually
out of the scope of this list (trimming the first characters of the
username variable in Dovecot, adding the domain part as part of the
hardcoded path in exim4 config, trying with another authentication methods
for Dovecot, etc)

Best regards,

Jorge

George wrote:
> Hi! I have a problem involving Samba4, exim4, fetchmail, dovecot and PAM...
>
> I have setup a "maildrop" machine, which fetches mail from an
external POP3
> server for multiple accounts and then serves them locally via IMAP. On the
> same machine, I am currently running Samba 4.0.9 over Debian Wheezy. The
> idea is that fetchmail gets the mail, passes it to exim4, gets delivered to
> the "AD user mailbox" and then Dovecot serves them via IMAP,
where IMAP
> authentication is done against Samba AD via PAM.
>
> This had been working fine with Samba 3.x (since all users where in fact
> Unix users), but since I migrated to 4.x, not that much... The problem
> comes when I want to do this for new AD users. I have successfully
> configured PAM authentication through winbind and it works (new AD users
> can SSH the machine). Dovecot also takes the PAM authentication and works
> fine, but the problem is that PAM returrns the "username" as
> "DOMAIN\username" for Dovecot (I can see this on the logs), so
Dovecot
> tries to find the mailbox using that as part of the path. On the other
> hand, fetchmail (actually the MTA, exim4), locally delivers the mail using
> "username" (without the domain part) as part of the path.
>   
----
    Do you have "winbind use default domain" set to true, by any
chance?

    I had problems when that param was set to true.

    If that param is set to true, then you'll be ID'd as DOM\USER
even on the Domain Controller (which isn't how it is on Windows).  With that
param set to false, then "USER" on the DC, == the same user as
"DOM\USER"
on client (non-DC) machines.

    I have a similar setup to you in that I have fetchmail delivering mail
to a local user (->user), but when I perform *remote* validation from
a client against the DC, the same domain-account gets listed as
'DC-DOMNAME\USER'.

    Now in dovecot, it uses the name that the user's client passes to them.
So I configure my Win-email client to use a login of "user", and
that's
what gets ID'd against PAM (unless you have "winbind use default 
domain=yes").

    The only place that I found that still referenced "Domain\user"
was
"ssh" from cygwin.  On windows, if I was logged in on my domain
account,
I was DOM\USER, but if I was on my computer-local account, then I was
just "USER" -- USER being relative to the machine you are on.

    I solved that by entries in /etc/passwd:
lw:x:5013:201:L A Walsh, Trust Technologies, tlinx.org:/home/lw:/bin/bash
Bliss\lw:x:5013:201:L A Walsh, Trust Technologies, 
tlinx.org:/home/lw:/bin/bash
BLISS\lw:x:5013:201:L A Walsh, Trust Technologies, 
tlinx.org:/home/lw:/bin/bash

Which usually seems to cover most problems.

The key was the use default dom parm -- that needs to be "no" or you
will
be id'd as "DOM\USER" -- always -- even on the DC.

----
As for your idea of always stripping the domain?... um ... when I,
on a client machine, authenticate against Winbind using my DOM account,
that is a different user-id than when I authenticate as the same username
but NOT using my domain account.

I.e. on a client machine,  "user" = 1001 and
"dom\user"=5000,
only on the DC does "user" = 5000 = dom\user...

So stripping the dom would cause as many or more problems than it fixes.

Check the "winbind use default domain " in your smb.conf and also for
dovecot -- check that remote users use "<login>" w/o the domain
component.


Not sure if this answers your Q or prob, but it sounded like what I've 
experienced.... ;-)


against Winbind and am using a domain account -- it returns a different
account number than when I am use a