Hello,
Here's my setup:
* Ubuntu 18.04 LTS
* Samba 4.7.6
* Active Directory (provided by Samba)
* Postfix 3.3.0
* Mailutils 3.4
On this machine, my AD usernames are showing in the format
DOMAIN\username
All the machines in the AD have a directive in their /etc/samba/smb.conf
file
winbind use default domain = yes
however this doesn't work on this machine acting as the AD-DC, and looking
through the mailing list, this is by design, and unlikely to change. (It
does work on the workstations where users are just shown as their username).
Having the format DOMAIN\username is making using Postfix / Mailutils very
difficult. Originating emails ("From: DOMAIN\username at domain.com")
are
being rejected by mail relays, and case folding on Postfix means I end up
with two mail files for each user in /var/mail (DOMAIN\username and
domain\username).
Is there any way to suppress the DOMAIN section of a username on the AD-DC
machine? Or an alternative approach to fixing this issue. (I've looked at
re-writing in Postfix, and it's ugly).
Thanks
Nick
On 26/05/2020 18:32, Nick Piggott via samba wrote:> Hello, > > Here's my setup: > * Ubuntu 18.04 LTS > * Samba 4.7.6 > * Active Directory (provided by Samba) > * Postfix 3.3.0 > * Mailutils 3.4 > > On this machine, my AD usernames are showing in the format > DOMAIN\username > > All the machines in the AD have a directive in their /etc/samba/smb.conf > file > winbind use default domain = yes > however this doesn't work on this machine acting as the AD-DC, and looking > through the mailing list, this is by design, and unlikely to change. (It > does work on the workstations where users are just shown as their username). > > Having the format DOMAIN\username is making using Postfix / Mailutils very > difficult. Originating emails ("From: DOMAIN\username at domain.com") are > being rejected by mail relays, and case folding on Postfix means I end up > with two mail files for each user in /var/mail (DOMAIN\username and > domain\username). > > Is there any way to suppress the DOMAIN section of a username on the AD-DC > machine? Or an alternative approach to fixing this issue. (I've looked at > re-writing in Postfix, and it's ugly).No, you cannot suppress the domain name, this is one of the reasons we do not recommend using the DC for anything other than authentication. Have you considered running postfix on a Unix domain member (where you can remove the domain name), this could be in a VM on the DC. Rowland
Are you using postfix and the ldap extension or pam? I'm running samba as a DC for my postfix/dovecot server and it's working fine. Double check you're using the right query filter with postfix and dovecot. Some extract the username and append the domain, some require the full domain etc. On 26/05/2020 18:41, Rowland penny via samba wrote:> On 26/05/2020 18:32, Nick Piggott via samba wrote: >> Hello, >> >> Here's my setup: >> * Ubuntu 18.04 LTS >> * Samba 4.7.6 >> * Active Directory (provided by Samba) >> * Postfix 3.3.0 >> * Mailutils 3.4 >> >> On this machine, my AD usernames are showing in the format >> DOMAIN\username >> >> All the machines in the AD have a directive in their /etc/samba/smb.conf >> file >> winbind use default domain = yes >> however this doesn't work on this machine acting as the AD-DC, and >> looking >> through the mailing list, this is by design, and unlikely to change. (It >> does work on the workstations where users are just shown as their >> username). >> >> Having the format DOMAIN\username is making using Postfix / Mailutils >> very >> difficult. Originating emails ("From: DOMAIN\username at domain.com") are >> being rejected by mail relays, and case folding on Postfix means I >> end up >> with two mail files for each user in /var/mail (DOMAIN\username and >> domain\username). >> >> Is there any way to suppress the DOMAIN section of a username on the >> AD-DC >> machine? Or an alternative approach to fixing this issue. (I've >> looked at >> re-writing in Postfix, and it's ugly). > > No, you cannot suppress the domain name, this is one of the reasons we > do not recommend using the DC for anything other than authentication. > Have you considered running postfix on a Unix domain member (where you > can remove the domain name), this could be in a VM on the DC. > > Rowland > > >
On Tue, 2020-05-26 at 18:32 +0100, Nick Piggott via samba wrote:> Hello, > > Here's my setup: > * Ubuntu 18.04 LTS > * Samba 4.7.6 > * Active Directory (provided by Samba) > * Postfix 3.3.0 > * Mailutils 3.4 > > On this machine, my AD usernames are showing in the format > DOMAIN\username > > All the machines in the AD have a directive in their > /etc/samba/smb.conf > file > winbind use default domain = yes > however this doesn't work on this machine acting as the AD-DC, and > looking > through the mailing list, this is by design, and unlikely to change. > (It > does work on the workstations where users are just shown as their > username). > > Having the format DOMAIN\username is making using Postfix / Mailutils > very > difficult. Originating emails ("From: DOMAIN\username at domain.com") > are > being rejected by mail relays, and case folding on Postfix means I > end up > with two mail files for each user in /var/mail (DOMAIN\username and > domain\username). > > Is there any way to suppress the DOMAIN section of a username on the > AD-DC > machine? Or an alternative approach to fixing this issue. (I've > looked at > re-writing in Postfix, and it's ugly).This is what the "winbind use default domain" option is for. I'm sorry it isn't working on the AD DC. While written for exactly this purpose, and while popular with administrators it was horribly unpopular with my fellow developers so the use cases have not been extended. My best suggestion is a member server. This helps split up the roles better anyway and makes it easier to upgrade the AD DC independently. Sorry, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Mandi! Nick Piggott via samba In chel di` si favelave...> Is there any way to suppress the DOMAIN section of a username on the AD-DC > machine? Or an alternative approach to fixing this issue. (I've looked at > re-writing in Postfix, and it's ugly).No. But you can: 1) move these services to samba member servers; note that even Microsoft suggest to keep AD DC as simple as possible. 2) do direct LDAP query, not PAM. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hello, Thanks Andrew, and to everyone else who made suggestions. I can understand the rationale behind not enabling default domain on the AD-DC, or running the AD-DC or postfix in a separate VM, but it makes a system more complex to deploy and maintain, particularly in small business environments. In this situation, I've decided to use postfix address rewrites and hardlinks between mailbox files to work around the issue. Thanks again for your responses, Nick On Tue, 26 May 2020 at 23:31, Andrew Bartlett <abartlet at samba.org> wrote:> On Tue, 2020-05-26 at 18:32 +0100, Nick Piggott via samba wrote: > > Hello, > > > > Here's my setup: > > * Ubuntu 18.04 LTS > > * Samba 4.7.6 > > * Active Directory (provided by Samba) > > * Postfix 3.3.0 > > * Mailutils 3.4 > > > > On this machine, my AD usernames are showing in the format > > DOMAIN\username > > > > All the machines in the AD have a directive in their > > /etc/samba/smb.conf > > file > > winbind use default domain = yes > > however this doesn't work on this machine acting as the AD-DC, and > > looking > > through the mailing list, this is by design, and unlikely to change. > > (It > > does work on the workstations where users are just shown as their > > username). > > > > Having the format DOMAIN\username is making using Postfix / Mailutils > > very > > difficult. Originating emails ("From: DOMAIN\username at domain.com") > > are > > being rejected by mail relays, and case folding on Postfix means I > > end up > > with two mail files for each user in /var/mail (DOMAIN\username and > > domain\username). > > > > Is there any way to suppress the DOMAIN section of a username on the > > AD-DC > > machine? Or an alternative approach to fixing this issue. (I've > > looked at > > re-writing in Postfix, and it's ugly). > > This is what the "winbind use default domain" option is for. > > I'm sorry it isn't working on the AD DC. While written for exactly > this purpose, and while popular with administrators it was horribly > unpopular with my fellow developers so the use cases have not been > extended. > > My best suggestion is a member server. This helps split up the roles > better anyway and makes it easier to upgrade the AD DC independently. > > Sorry, > > Andrew Bartlett > > -- > Andrew Bartlett https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Developer, Catalyst IT > https://catalyst.net.nz/services/samba > > > >-- Nick