Rowland penny
2016-Jul-21 07:56 UTC
[Samba] How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
On 21/07/16 06:08, Mark Foley wrote:> OK! I deleted the /etc/passwd entry for user mark and I modified my /etc/nsswitch.conf to: > > passwd: compat winbind > group: compat winbind > > I couldn't get sendmail working with this at first -- I didn't know what to [re]start to get > the new nsswitch config to take, so I rebooted. Probably I just had to restart sendmail, but oh > well. > > And, it started working ... sort of. Email to that user was delivered OK; meaning > sendmail/procmail were able to find the right IMAP folder to deliver mail. > > However, email from that sender is not working and I'm sure one of you geniuses can set me > straight. Here's my getent before deleting the /etc/passwd entry and before nsswitch changes: > > $ getent passwd mark > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash > > ... and after the changes: > > $ getent passwd mark > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/falseOK, you are running into one of the problems of using a DC as a fileserver here, the only RFC2307 attributes used from AD are 'uidNumber' & 'gidNumber'. You can get around the users home placement and shell with a couple of lines in smb.conf: template homedir = /home/%U template shell = /bin/bash Restart Samba There is another line, which works on a domain member: winbind use default domain = yes This (on a domain member) removes the NetBIOS domain name, but it doesn't seem to work on an AD DC. Rowland> > See the difference? And here are a few mail log messages: > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ohprs.org using -r > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... User address required > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: from="HPRS\\\\mark", > > Notice that it is now getting the userID as "HPRS\mark", i.e. domain\user, and the from address > ends up being HPRS\mark at ohprs.org, which sendmail is not handling well. > > Any ideas how to fix that? > > I'll check with the sendmail people also. > > Almost there! When I get this sorted out, I can remove my AD users from /etc/passwd which > should make Roland happy! > > --Mark > >
Mark Foley
2016-Jul-21 14:48 UTC
[Samba] sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]
> Date: Thu, 21 Jul 2016 08:56:54 +0100 > From: Rowland penny <rpenny at samba.org> > On 21/07/16 06:08, Mark Foley wrote: > > OK! I deleted the /etc/passwd entry for user mark and I modified my /etc/nsswitch.conf to: > > > > passwd: compat winbind > > group: compat winbind > > > > I couldn't get sendmail working with this at first -- I didn't know what to [re]start to get > > the new nsswitch config to take, so I rebooted. Probably I just had to restart sendmail, but oh > > well. > > > > And, it started working ... sort of. Email to that user was delivered OK; meaning > > sendmail/procmail were able to find the right IMAP folder to deliver mail. > > > > However, email from that sender is not working and I'm sure one of you geniuses can set me > > straight. Here's my getent before deleting the /etc/passwd entry and before nsswitch changes: > > > > $ getent passwd mark > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash > > > > ... and after the changes: > > > > $ getent passwd mark > > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false > > OK, you are running into one of the problems of using a DC as a > fileserver here, the only RFC2307 attributes used from AD are > 'uidNumber' & 'gidNumber'. You can get around the users home placement > and shell with a couple of lines in smb.conf: > > template homedir = /home/%U > template shell = /bin/bash > > Restart Samba > > There is another line, which works on a domain member: > > winbind use default domain = yes > > This (on a domain member) removes the NetBIOS domain name, but it > doesn't seem to work on an AD DC. > > RowlandActually, the homedir is fine, though that's a good setting to know. I did add the "template shell" and that worked, but I don't really care about the shell (yet) since this is not a computer people log onto. Anyway, the problem is that getent is apparently returning HPRS\mark as the user to sendmail, and sendmail is constructing the outgoing email address as HPRS\mark at ohprs.org -- which is bad. I already have "winbind use default domain = yes". Maybe I need a rewrite rule in sendmail. btw - I've changed the subject line. This is not about gssapi/kerberos. --Mark> > > > See the difference? And here are a few mail log messages: > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ohprs.org using -r > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... User address required > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: from="HPRS\\\\mark", > > > > Notice that it is now getting the userID as "HPRS\mark", i.e. domain\user, and the from address > > ends up being HPRS\mark at ohprs.org, which sendmail is not handling well. > > > > Any ideas how to fix that? > > > > I'll check with the sendmail people also. > > > > Almost there! When I get this sorted out, I can remove my AD users from /etc/passwd which > > should make Roland happy! > > > > --Mark > > > >
Data Control Systems - Mike Elkevizth
2016-Jul-21 16:30 UTC
[Samba] sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]
Hi Mark, I've had the same trouble with the DOMAIN\user on my DCs, and as Rowland has already pointed out, the "winbind use default domain = yes" configure option is not honored on a DC. My guess is that is because a Samba DC can only be a DC for one domain, so that is why it isn't honored. If I do "getent passwd username" on my DCs, they all return "DOMAIN\username:*:uidNumber:gidNumber:User Name:/home/DOMAIN/username:/login/shell" which is the same thing as "getent passwd 'DOMAIN\username'" returns. So you can probably change the configuration of sendmail to drop the "DOMAIN\" from the start of the username, although I'm not sure how to do that. The other option would be to not use winbind, and to instead use sssd. I've not tried this on a DC, but I can't see why it wouldn't work. You would have to remove winbind from your nsswitch config and add the sssd entries. Mine looks like this on my domain members: # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss group: compat sss shadow: compat sss gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files sss My /etc/sssd/sssd.conf looks like this: [sssd] services = nss, pam config_file_version = 2 domains = AD.REALM [domain/AD.REALM] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad # Set to false if you want to use POSIX UIDs and GIDs set on the AD side ldap_id_mapping = False # Note that enabling enumeration will have a moderate performance impact. # Consequently, the default value for enumeration is FALSE. # Refer to the sssd.conf man page for full details. enumerate = true # Allow offline logins by locally storing password hashes (default: false). #cache_credentials = true This might be easier than trying to change the sendmail configuration or figuring out the "the idiosyncrasies in the winbindd configuration on the Active Directory Domain Controller" as described on the Samba wiki https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction Mike E. On Thu, Jul 21, 2016 at 10:49 AM Mark Foley <mfoley at ohprs.org> wrote:> > Date: Thu, 21 Jul 2016 08:56:54 +0100 > > From: Rowland penny <rpenny at samba.org> > > On 21/07/16 06:08, Mark Foley wrote: > > > OK! I deleted the /etc/passwd entry for user mark and I modified my > /etc/nsswitch.conf to: > > > > > > passwd: compat winbind > > > group: compat winbind > > > > > > I couldn't get sendmail working with this at first -- I didn't know > what to [re]start to get > > > the new nsswitch config to take, so I rebooted. Probably I just had to > restart sendmail, but oh > > > well. > > > > > > And, it started working ... sort of. Email to that user was delivered > OK; meaning > > > sendmail/procmail were able to find the right IMAP folder to deliver > mail. > > > > > > However, email from that sender is not working and I'm sure one of you > geniuses can set me > > > straight. Here's my getent before deleting the /etc/passwd entry and > before nsswitch changes: > > > > > > $ getent passwd mark > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash > > > > > > ... and after the changes: > > > > > > $ getent passwd mark > > > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false > > > > OK, you are running into one of the problems of using a DC as a > > fileserver here, the only RFC2307 attributes used from AD are > > 'uidNumber' & 'gidNumber'. You can get around the users home placement > > and shell with a couple of lines in smb.conf: > > > > template homedir = /home/%U > > template shell = /bin/bash > > > > Restart Samba > > > > There is another line, which works on a domain member: > > > > winbind use default domain = yes > > > > This (on a domain member) removes the NetBIOS domain name, but it > > doesn't seem to work on an AD DC. > > > > Rowland > > Actually, the homedir is fine, though that's a good setting to know. I > did add the "template > shell" and that worked, but I don't really care about the shell (yet) > since this is not a > computer people log onto. > > Anyway, the problem is that getent is apparently returning HPRS\mark as > the user to sendmail, > and sendmail is constructing the outgoing email address as HPRS\ > mark at ohprs.org -- which is bad. > > I already have "winbind use default domain = yes". > > Maybe I need a rewrite rule in sendmail. > > btw - I've changed the subject line. This is not about gssapi/kerberos. > > --Mark > > > > > > > See the difference? And here are a few mail log messages: > > > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: > Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ > ohprs.org using -r > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... > User address required > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: > from="HPRS\\\\mark", > > > > > > Notice that it is now getting the userID as "HPRS\mark", i.e. > domain\user, and the from address > > > ends up being HPRS\mark at ohprs.org, which sendmail is not handling > well. > > > > > > Any ideas how to fix that? > > > > > > I'll check with the sendmail people also. > > > > > > Almost there! When I get this sorted out, I can remove my AD users > from /etc/passwd which > > > should make Roland happy! > > > > > > --Mark > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Possibly Parallel Threads
- sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]
- sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- sendmail getting domain\user as email userId
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]