Data Control Systems - Mike Elkevizth
2016-Jul-21 16:30 UTC
[Samba] sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]
Hi Mark, I've had the same trouble with the DOMAIN\user on my DCs, and as Rowland has already pointed out, the "winbind use default domain = yes" configure option is not honored on a DC. My guess is that is because a Samba DC can only be a DC for one domain, so that is why it isn't honored. If I do "getent passwd username" on my DCs, they all return "DOMAIN\username:*:uidNumber:gidNumber:User Name:/home/DOMAIN/username:/login/shell" which is the same thing as "getent passwd 'DOMAIN\username'" returns. So you can probably change the configuration of sendmail to drop the "DOMAIN\" from the start of the username, although I'm not sure how to do that. The other option would be to not use winbind, and to instead use sssd. I've not tried this on a DC, but I can't see why it wouldn't work. You would have to remove winbind from your nsswitch config and add the sssd entries. Mine looks like this on my domain members: # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss group: compat sss shadow: compat sss gshadow: files hosts: files dns networks: files protocols: db files services: db files sss ethers: db files rpc: db files netgroup: nis sss sudoers: files sss My /etc/sssd/sssd.conf looks like this: [sssd] services = nss, pam config_file_version = 2 domains = AD.REALM [domain/AD.REALM] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad # Set to false if you want to use POSIX UIDs and GIDs set on the AD side ldap_id_mapping = False # Note that enabling enumeration will have a moderate performance impact. # Consequently, the default value for enumeration is FALSE. # Refer to the sssd.conf man page for full details. enumerate = true # Allow offline logins by locally storing password hashes (default: false). #cache_credentials = true This might be easier than trying to change the sendmail configuration or figuring out the "the idiosyncrasies in the winbindd configuration on the Active Directory Domain Controller" as described on the Samba wiki https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction Mike E. On Thu, Jul 21, 2016 at 10:49 AM Mark Foley <mfoley at ohprs.org> wrote:> > Date: Thu, 21 Jul 2016 08:56:54 +0100 > > From: Rowland penny <rpenny at samba.org> > > On 21/07/16 06:08, Mark Foley wrote: > > > OK! I deleted the /etc/passwd entry for user mark and I modified my > /etc/nsswitch.conf to: > > > > > > passwd: compat winbind > > > group: compat winbind > > > > > > I couldn't get sendmail working with this at first -- I didn't know > what to [re]start to get > > > the new nsswitch config to take, so I rebooted. Probably I just had to > restart sendmail, but oh > > > well. > > > > > > And, it started working ... sort of. Email to that user was delivered > OK; meaning > > > sendmail/procmail were able to find the right IMAP folder to deliver > mail. > > > > > > However, email from that sender is not working and I'm sure one of you > geniuses can set me > > > straight. Here's my getent before deleting the /etc/passwd entry and > before nsswitch changes: > > > > > > $ getent passwd mark > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash > > > > > > ... and after the changes: > > > > > > $ getent passwd mark > > > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false > > > > OK, you are running into one of the problems of using a DC as a > > fileserver here, the only RFC2307 attributes used from AD are > > 'uidNumber' & 'gidNumber'. You can get around the users home placement > > and shell with a couple of lines in smb.conf: > > > > template homedir = /home/%U > > template shell = /bin/bash > > > > Restart Samba > > > > There is another line, which works on a domain member: > > > > winbind use default domain = yes > > > > This (on a domain member) removes the NetBIOS domain name, but it > > doesn't seem to work on an AD DC. > > > > Rowland > > Actually, the homedir is fine, though that's a good setting to know. I > did add the "template > shell" and that worked, but I don't really care about the shell (yet) > since this is not a > computer people log onto. > > Anyway, the problem is that getent is apparently returning HPRS\mark as > the user to sendmail, > and sendmail is constructing the outgoing email address as HPRS\ > mark at ohprs.org -- which is bad. > > I already have "winbind use default domain = yes". > > Maybe I need a rewrite rule in sendmail. > > btw - I've changed the subject line. This is not about gssapi/kerberos. > > --Mark > > > > > > > See the difference? And here are a few mail log messages: > > > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: > Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ > ohprs.org using -r > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... > User address required > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: > from="HPRS\\\\mark", > > > > > > Notice that it is now getting the userID as "HPRS\mark", i.e. > domain\user, and the from address > > > ends up being HPRS\mark at ohprs.org, which sendmail is not handling > well. > > > > > > Any ideas how to fix that? > > > > > > I'll check with the sendmail people also. > > > > > > Almost there! When I get this sorted out, I can remove my AD users > from /etc/passwd which > > > should make Roland happy! > > > > > > --Mark > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Mark Foley
2016-Jul-21 20:32 UTC
[Samba] sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]
Thanks Mike. I'll investigate ssd although it shouldn't be too hard to have sendmail rewrite the userID to remove the domain. I'm investigating this now and will post results. --Mark -----Original Message-----> From: Data Control Systems - Mike Elkevizth <mike at datacontrolsystems.com> > Date: Thu, 21 Jul 2016 12:30:19 -0400 > Subject: Re: [Samba] sendmail getting domain\user as email userId [formerly: > How to GSSAPI/Kerberos authenticate with Dovecot] > To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org > > Hi Mark, > > I've had the same trouble with the DOMAIN\user on my DCs, and as Rowland > has already pointed out, the "winbind use default domain = yes" configure > option is not honored on a DC. My guess is that is because a Samba DC can > only be a DC for one domain, so that is why it isn't honored. If I do > "getent passwd username" on my DCs, they all return > "DOMAIN\username:*:uidNumber:gidNumber:User > Name:/home/DOMAIN/username:/login/shell" which is the same thing as "getent > passwd 'DOMAIN\username'" returns. So you can probably change the > configuration of sendmail to drop the "DOMAIN\" from the start of the > username, although I'm not sure how to do that. The other option would be > to not use winbind, and to instead use sssd. I've not tried this on a DC, > but I can't see why it wouldn't work. You would have to remove winbind > from your nsswitch config and add the sssd entries. Mine looks like this > on my domain members: > > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat sss > group: compat sss > shadow: compat sss > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files sss > > ethers: db files > rpc: db files > > netgroup: nis sss > sudoers: files sss > > > My /etc/sssd/sssd.conf looks like this: > > > [sssd] > services = nss, pam > config_file_version = 2 > domains = AD.REALM > > [domain/AD.REALM] > id_provider = ad > auth_provider = ad > access_provider = ad > chpass_provider = ad > > # Set to false if you want to use POSIX UIDs and GIDs set on the AD side > ldap_id_mapping = False > > # Note that enabling enumeration will have a moderate performance impact. > # Consequently, the default value for enumeration is FALSE. > # Refer to the sssd.conf man page for full details. > enumerate = true > > # Allow offline logins by locally storing password hashes (default: false). > #cache_credentials = true > > > This might be easier than trying to change the sendmail configuration or > figuring out the "the idiosyncrasies in the winbindd configuration on the > Active Directory Domain Controller" as described on the Samba wiki > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction > > Mike E. > > > On Thu, Jul 21, 2016 at 10:49 AM Mark Foley <mfoley at ohprs.org> wrote: > > > > Date: Thu, 21 Jul 2016 08:56:54 +0100 > > > From: Rowland penny <rpenny at samba.org> > > > On 21/07/16 06:08, Mark Foley wrote: > > > > OK! I deleted the /etc/passwd entry for user mark and I modified my > > /etc/nsswitch.conf to: > > > > > > > > passwd: compat winbind > > > > group: compat winbind > > > > > > > > I couldn't get sendmail working with this at first -- I didn't know > > what to [re]start to get > > > > the new nsswitch config to take, so I rebooted. Probably I just had to > > restart sendmail, but oh > > > > well. > > > > > > > > And, it started working ... sort of. Email to that user was delivered > > OK; meaning > > > > sendmail/procmail were able to find the right IMAP folder to deliver > > mail. > > > > > > > > However, email from that sender is not working and I'm sure one of you > > geniuses can set me > > > > straight. Here's my getent before deleting the /etc/passwd entry and > > before nsswitch changes: > > > > > > > > $ getent passwd mark > > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash > > > > > > > > ... and after the changes: > > > > > > > > $ getent passwd mark > > > > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false > > > > > > OK, you are running into one of the problems of using a DC as a > > > fileserver here, the only RFC2307 attributes used from AD are > > > 'uidNumber' & 'gidNumber'. You can get around the users home placement > > > and shell with a couple of lines in smb.conf: > > > > > > template homedir = /home/%U > > > template shell = /bin/bash > > > > > > Restart Samba > > > > > > There is another line, which works on a domain member: > > > > > > winbind use default domain = yes > > > > > > This (on a domain member) removes the NetBIOS domain name, but it > > > doesn't seem to work on an AD DC. > > > > > > Rowland > > > > Actually, the homedir is fine, though that's a good setting to know. I > > did add the "template > > shell" and that worked, but I don't really care about the shell (yet) > > since this is not a > > computer people log onto. > > > > Anyway, the problem is that getent is apparently returning HPRS\mark as > > the user to sendmail, > > and sendmail is constructing the outgoing email address as HPRS\ > > mark at ohprs.org -- which is bad. > > > > I already have "winbind use default domain = yes". > > > > Maybe I need a rewrite rule in sendmail. > > > > btw - I've changed the subject line. This is not about gssapi/kerberos. > > > > --Mark > > > > > > > > > > See the difference? And here are a few mail log messages: > > > > > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: > > Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ > > ohprs.org using -r > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... > > User address required > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: > > from="HPRS\\\\mark", > > > > > > > > Notice that it is now getting the userID as "HPRS\mark", i.e. > > domain\user, and the from address > > > > ends up being HPRS\mark at ohprs.org, which sendmail is not handling > > well. > > > > > > > > Any ideas how to fix that? > > > > > > > > I'll check with the sendmail people also. > > > > > > > > Almost there! When I get this sorted out, I can remove my AD users > > from /etc/passwd which > > > > should make Roland happy! > > > > > > > > --Mark > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >
Mike, If the DC returns "DOMAIN\username", but domain members (correctly?) return just "username", is this a bug in the DC? Is there some reason the DC essentially ignores the "winbind use default domain = yes" and returns DOMAIN\username? It would seem to me that sendmail would not be the only program stumbling on this. --Mark -----Original Message-----> From: Data Control Systems - Mike Elkevizth <mike at datacontrolsystems.com> > Date: Thu, 21 Jul 2016 12:30:19 -0400 > Subject: Re: [Samba] sendmail getting domain\user as email userId [formerly: > How to GSSAPI/Kerberos authenticate with Dovecot] > To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org > > Hi Mark, > > I've had the same trouble with the DOMAIN\user on my DCs, and as Rowland > has already pointed out, the "winbind use default domain = yes" configure > option is not honored on a DC. My guess is that is because a Samba DC can > only be a DC for one domain, so that is why it isn't honored. If I do > "getent passwd username" on my DCs, they all return > "DOMAIN\username:*:uidNumber:gidNumber:User > Name:/home/DOMAIN/username:/login/shell" which is the same thing as "getent > passwd 'DOMAIN\username'" returns. So you can probably change the > configuration of sendmail to drop the "DOMAIN\" from the start of the > username, although I'm not sure how to do that. The other option would be > to not use winbind, and to instead use sssd. I've not tried this on a DC, > but I can't see why it wouldn't work. You would have to remove winbind > from your nsswitch config and add the sssd entries. Mine looks like this > on my domain members: > > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat sss > group: compat sss > shadow: compat sss > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files sss > > ethers: db files > rpc: db files > > netgroup: nis sss > sudoers: files sss > > > My /etc/sssd/sssd.conf looks like this: > > > [sssd] > services = nss, pam > config_file_version = 2 > domains = AD.REALM > > [domain/AD.REALM] > id_provider = ad > auth_provider = ad > access_provider = ad > chpass_provider = ad > > # Set to false if you want to use POSIX UIDs and GIDs set on the AD side > ldap_id_mapping = False > > # Note that enabling enumeration will have a moderate performance impact. > # Consequently, the default value for enumeration is FALSE. > # Refer to the sssd.conf man page for full details. > enumerate = true > > # Allow offline logins by locally storing password hashes (default: false). > #cache_credentials = true > > > This might be easier than trying to change the sendmail configuration or > figuring out the "the idiosyncrasies in the winbindd configuration on the > Active Directory Domain Controller" as described on the Samba wiki > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction > > Mike E. > > > On Thu, Jul 21, 2016 at 10:49 AM Mark Foley <mfoley at ohprs.org> wrote: > > > > Date: Thu, 21 Jul 2016 08:56:54 +0100 > > > From: Rowland penny <rpenny at samba.org> > > > On 21/07/16 06:08, Mark Foley wrote: > > > > OK! I deleted the /etc/passwd entry for user mark and I modified my > > /etc/nsswitch.conf to: > > > > > > > > passwd: compat winbind > > > > group: compat winbind > > > > > > > > I couldn't get sendmail working with this at first -- I didn't know > > what to [re]start to get > > > > the new nsswitch config to take, so I rebooted. Probably I just had to > > restart sendmail, but oh > > > > well. > > > > > > > > And, it started working ... sort of. Email to that user was delivered > > OK; meaning > > > > sendmail/procmail were able to find the right IMAP folder to deliver > > mail. > > > > > > > > However, email from that sender is not working and I'm sure one of you > > geniuses can set me > > > > straight. Here's my getent before deleting the /etc/passwd entry and > > before nsswitch changes: > > > > > > > > $ getent passwd mark > > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash > > > > > > > > ... and after the changes: > > > > > > > > $ getent passwd mark > > > > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false > > > > > > OK, you are running into one of the problems of using a DC as a > > > fileserver here, the only RFC2307 attributes used from AD are > > > 'uidNumber' & 'gidNumber'. You can get around the users home placement > > > and shell with a couple of lines in smb.conf: > > > > > > template homedir = /home/%U > > > template shell = /bin/bash > > > > > > Restart Samba > > > > > > There is another line, which works on a domain member: > > > > > > winbind use default domain = yes > > > > > > This (on a domain member) removes the NetBIOS domain name, but it > > > doesn't seem to work on an AD DC. > > > > > > Rowland > > > > Actually, the homedir is fine, though that's a good setting to know. I > > did add the "template > > shell" and that worked, but I don't really care about the shell (yet) > > since this is not a > > computer people log onto. > > > > Anyway, the problem is that getent is apparently returning HPRS\mark as > > the user to sendmail, > > and sendmail is constructing the outgoing email address as HPRS\ > > mark at ohprs.org -- which is bad. > > > > I already have "winbind use default domain = yes". > > > > Maybe I need a rewrite rule in sendmail. > > > > btw - I've changed the subject line. This is not about gssapi/kerberos. > > > > --Mark > > > > > > > > > > See the difference? And here are a few mail log messages: > > > > > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: > > Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ > > ohprs.org using -r > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... > > User address required > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: > > from="HPRS\\\\mark", > > > > > > > > Notice that it is now getting the userID as "HPRS\mark", i.e. > > domain\user, and the from address > > > > ends up being HPRS\mark at ohprs.org, which sendmail is not handling > > well. > > > > > > > > Any ideas how to fix that? > > > > > > > > I'll check with the sendmail people also. > > > > > > > > Almost there! When I get this sorted out, I can remove my AD users > > from /etc/passwd which > > > > should make Roland happy! > > > > > > > > --Mark > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Dewayne, Thanks a lot for this patch. I'll hang on to it any probably do some experimenting on the side. The problem with this approach is that our AD/DC/Mail-server is in an office and I have to be concerned about future sysadmins as well as future sendmail updates. I am very reluctant to patch OS software, especially if other solutions are available. At worst, I can drop back and remove winbind from nsswitch.conf on the AD and put the user back in /etc/passwd. That's how I've been running for nearly 2 years and it's worked just fine. I was hoping to eliminate dual-entries for users in AD and passwd, but that's easier for someone to sort out than a patch. What I'd really like is a sendmail rule that would simply strip the "HPRS\" bit off the front of the username token. It seems like a rather simple rule (if there are such things in sendmail!), but I've found nothing so far and no feedback from expert sites. I could put this rule in my .mc file so it would be both documented and be independent of sendmail program updates. I subscribed to the sendmail-announce at lists.sendmail.org maillist but the moderator hasn't even "approved" my initial post yet. It might be a dead list. Any ideas on resources for this? --Mark -----Original Message-----> From: Dewayne Geraghty <dewaynegeraghty at gmail.com> > Date: Sat, 23 Jul 2016 18:39:32 +1000 > Subject: Re: [Samba] sendmail getting domain\user as email userId [formerly: > How to GSSAPI/Kerberos authenticate with Dovecot] > To: Mark Foley <mfoley at ohprs.org> > > Mark, > We've had this problem with sendmail in 2014. A friend John Marshall > addressed this on FreeBSD. I've included a patch that may assist. The > patch applies cleanly, though with the cut/paste between my ssh session and > this windows client, the spacing may be incorrect. > > This is a known to sendmail bug, but they were unprepared to rectify. > > --- sendmail/srvrsmtp.c.orig 2013-11-23 07:51:56.000000000 +1100 > +++ sendmail/srvrsmtp.c 2014-01-27 17:26:30.000000000 +1100 > @@ -84,7 +84,7 @@ > # define RESET_SASLCONN \ > do \ > { \ > - result = reset_saslconn(&conn, AuthRealm, remoteip, \ > + result = reset_saslconn(&conn, hostname, remoteip, \ > localip, auth_id, &ext_ssf); \ > if (result != SASL_OK) \ > sasl_ok = false; \ > @@ -761,8 +761,8 @@ > if (sasl_ok) > { > # if SASL >= 20000 > - result = sasl_server_new("smtp", AuthRealm, NULL, NULL, > NULL, > - NULL, 0, &conn); > + result = sasl_server_new("smtp", hostname, AuthRealm, NULL, > + NULL, NULL, 0, &conn); > # elif SASL > 10505 > /* use empty realm: only works in SASL > 1.5.5 */ > result = sasl_server_new("smtp", AuthRealm, "", NULL, 0, > &conn); > @@ -5027,7 +5027,7 @@ > > sasl_dispose(conn); > # if SASL >= 20000 > - result = sasl_server_new("smtp", hostname, NULL, NULL, NULL, > + result = sasl_server_new("smtp", hostname, AuthRealm, NULL, NULL, > NULL, 0, conn); > # elif SASL > 10505 > /* use empty realm: only works in SASL > 1.5.5 */ > > > On 22 July 2016 at 06:32, Mark Foley <mfoley at ohprs.org> wrote: > > > Thanks Mike. I'll investigate ssd although it shouldn't be too hard to > > have sendmail rewrite > > the userID to remove the domain. I'm investigating this now and will post > > results. > > > > --Mark > > > > -----Original Message----- > > > From: Data Control Systems - Mike Elkevizth <mike at datacontrolsystems.com > > > > > > Date: Thu, 21 Jul 2016 12:30:19 -0400 > > > Subject: Re: [Samba] sendmail getting domain\user as email userId > > [formerly: > > > How to GSSAPI/Kerberos authenticate with Dovecot] > > > To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org > > > > > > Hi Mark, > > > > > > I've had the same trouble with the DOMAIN\user on my DCs, and as Rowland > > > has already pointed out, the "winbind use default domain = yes" configure > > > option is not honored on a DC. My guess is that is because a Samba DC > > can > > > only be a DC for one domain, so that is why it isn't honored. If I do > > > "getent passwd username" on my DCs, they all return > > > "DOMAIN\username:*:uidNumber:gidNumber:User > > > Name:/home/DOMAIN/username:/login/shell" which is the same thing as > > "getent > > > passwd 'DOMAIN\username'" returns. So you can probably change the > > > configuration of sendmail to drop the "DOMAIN\" from the start of the > > > username, although I'm not sure how to do that. The other option would > > be > > > to not use winbind, and to instead use sssd. I've not tried this on a > > DC, > > > but I can't see why it wouldn't work. You would have to remove winbind > > > from your nsswitch config and add the sssd entries. Mine looks like this > > > on my domain members: > > > > > > > > > # /etc/nsswitch.conf > > > # > > > # Example configuration of GNU Name Service Switch functionality. > > > # If you have the `glibc-doc-reference' and `info' packages installed, > > try: > > > # `info libc "Name Service Switch"' for information about this file. > > > > > > passwd: compat sss > > > group: compat sss > > > shadow: compat sss > > > gshadow: files > > > > > > hosts: files dns > > > networks: files > > > > > > protocols: db files > > > services: db files sss > > > > > > ethers: db files > > > rpc: db files > > > > > > netgroup: nis sss > > > sudoers: files sss > > > > > > > > > My /etc/sssd/sssd.conf looks like this: > > > > > > > > > [sssd] > > > services = nss, pam > > > config_file_version = 2 > > > domains = AD.REALM > > > > > > [domain/AD.REALM] > > > id_provider = ad > > > auth_provider = ad > > > access_provider = ad > > > chpass_provider = ad > > > > > > # Set to false if you want to use POSIX UIDs and GIDs set on the AD side > > > ldap_id_mapping = False > > > > > > # Note that enabling enumeration will have a moderate performance impact. > > > # Consequently, the default value for enumeration is FALSE. > > > # Refer to the sssd.conf man page for full details. > > > enumerate = true > > > > > > # Allow offline logins by locally storing password hashes (default: > > false). > > > #cache_credentials = true > > > > > > > > > This might be easier than trying to change the sendmail configuration or > > > figuring out the "the idiosyncrasies in the winbindd configuration on the > > > Active Directory Domain Controller" as described on the Samba wiki > > > > > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction > > > > > > Mike E. > > > > > > > > > On Thu, Jul 21, 2016 at 10:49 AM Mark Foley <mfoley at ohprs.org> wrote: > > > > > > > > Date: Thu, 21 Jul 2016 08:56:54 +0100 > > > > > From: Rowland penny <rpenny at samba.org> > > > > > On 21/07/16 06:08, Mark Foley wrote: > > > > > > OK! I deleted the /etc/passwd entry for user mark and I modified my > > > > /etc/nsswitch.conf to: > > > > > > > > > > > > passwd: compat winbind > > > > > > group: compat winbind > > > > > > > > > > > > I couldn't get sendmail working with this at first -- I didn't know > > > > what to [re]start to get > > > > > > the new nsswitch config to take, so I rebooted. Probably I just > > had to > > > > restart sendmail, but oh > > > > > > well. > > > > > > > > > > > > And, it started working ... sort of. Email to that user was > > delivered > > > > OK; meaning > > > > > > sendmail/procmail were able to find the right IMAP folder to > > deliver > > > > mail. > > > > > > > > > > > > However, email from that sender is not working and I'm sure one of > > you > > > > geniuses can set me > > > > > > straight. Here's my getent before deleting the /etc/passwd entry > > and > > > > before nsswitch changes: > > > > > > > > > > > > $ getent passwd mark > > > > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash > > > > > > > > > > > > ... and after the changes: > > > > > > > > > > > > $ getent passwd mark > > > > > > HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false > > > > > > > > > > OK, you are running into one of the problems of using a DC as a > > > > > fileserver here, the only RFC2307 attributes used from AD are > > > > > 'uidNumber' & 'gidNumber'. You can get around the users home > > placement > > > > > and shell with a couple of lines in smb.conf: > > > > > > > > > > template homedir = /home/%U > > > > > template shell = /bin/bash > > > > > > > > > > Restart Samba > > > > > > > > > > There is another line, which works on a domain member: > > > > > > > > > > winbind use default domain = yes > > > > > > > > > > This (on a domain member) removes the NetBIOS domain name, but it > > > > > doesn't seem to work on an AD DC. > > > > > > > > > > Rowland > > > > > > > > Actually, the homedir is fine, though that's a good setting to know. I > > > > did add the "template > > > > shell" and that worked, but I don't really care about the shell (yet) > > > > since this is not a > > > > computer people log onto. > > > > > > > > Anyway, the problem is that getent is apparently returning HPRS\mark as > > > > the user to sendmail, > > > > and sendmail is constructing the outgoing email address as HPRS\ > > > > mark at ohprs.org -- which is bad. > > > > > > > > I already have "winbind use default domain = yes". > > > > > > > > Maybe I need a rewrite rule in sendmail. > > > > > > > > btw - I've changed the subject line. This is not about gssapi/kerberos. > > > > > > > > --Mark > > > > > > > > > > > > > > > > See the difference? And here are a few mail log messages: > > > > > > > > > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: > > > > Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ > > > > ohprs.org using -r > > > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... > > > > User address required > > > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: > > > > from="HPRS\\\\mark", > > > > > > > > > > > > Notice that it is now getting the userID as "HPRS\mark", i.e. > > > > domain\user, and the from address > > > > > > ends up being HPRS\mark at ohprs.org, which sendmail is not handling > > > > well. > > > > > > > > > > > > Any ideas how to fix that? > > > > > > > > > > > > I'll check with the sendmail people also. > > > > > > > > > > > > Almost there! When I get this sorted out, I can remove my AD users > > > > from /etc/passwd which > > > > > > should make Roland happy! > > > > > > > > > > > > --Mark > > > > > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > *Disclaimer:* > > > > *As implied by email protocols, the information in this message is not > confidential. Any intermediary or recipient may inspect, modify (add), > copy, forward, reply to, delete, or filter email for any purpose unless > said parties are otherwise obligated. Nothing in this message may be > legally binding without cryptographic evidence of its integrity and/or > confidentiality.*
Maybe Matching Threads
- sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- sendmail getting domain\user as email userId
- sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]
- sendmail getting domain\user as email userId