samba - Jul 2016 - sendmail getting domain\user as email userId

Mike,

If the DC returns "DOMAIN\username", but domain members (correctly?)
return just "username", is
this a bug in the DC? Is there some reason the DC essentially ignores the
"winbind use default
domain = yes" and returns DOMAIN\username? It would seem to me that
sendmail would not be the
only program stumbling on this. 

--Mark

-----Original Message-----
> From: Data Control Systems - Mike Elkevizth <mike at
datacontrolsystems.com>
> Date: Thu, 21 Jul 2016 12:30:19 -0400
> Subject: Re: [Samba] sendmail getting domain\user as email userId
[formerly:
>  How to GSSAPI/Kerberos authenticate with Dovecot]
> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
>
> Hi Mark,
>
> I've had the same trouble with the DOMAIN\user on my DCs, and as
Rowland
> has already pointed out, the "winbind use default domain = yes"
configure
> option is not honored on a DC.  My guess is that is because a Samba DC can
> only be a DC for one domain, so that is why it isn't honored.  If I do
> "getent passwd username" on my DCs, they all return
> "DOMAIN\username:*:uidNumber:gidNumber:User
> Name:/home/DOMAIN/username:/login/shell" which is the same thing as
"getent
> passwd 'DOMAIN\username'" returns.  So you can probably change
the
> configuration of sendmail to drop the "DOMAIN\" from the start of
the
> username, although I'm not sure how to do that.  The other option would
be
> to not use winbind, and to instead use sssd.  I've not tried this on a
DC,
> but I can't see why it wouldn't work.  You would have to remove
winbind
> from your nsswitch config and add the sssd entries.  Mine looks like this
> on my domain members:
>
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
>
> passwd:         compat sss
> group:          compat sss
> shadow:         compat sss
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files sss
>
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis sss
> sudoers:        files sss
>
>
> My /etc/sssd/sssd.conf looks like this:
>
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = AD.REALM
>
> [domain/AD.REALM]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
>
> # Set to false if you want to use POSIX UIDs and GIDs set on the AD side
> ldap_id_mapping = False
>
> # Note that enabling enumeration will have a moderate performance impact.
> # Consequently, the default value for enumeration is FALSE.
> # Refer to the sssd.conf man page for full details.
> enumerate = true
>
> # Allow offline logins by locally storing password hashes (default: false).
> #cache_credentials = true
>
>
> This might be easier than trying to change the sendmail configuration or
> figuring out the "the idiosyncrasies in the winbindd configuration on
the
> Active Directory Domain Controller" as described on the Samba wiki
>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction
>
> Mike E.
>
>
> On Thu, Jul 21, 2016 at 10:49 AM Mark Foley <mfoley at ohprs.org>
wrote:
>
> > > Date: Thu, 21 Jul 2016 08:56:54 +0100
> > > From: Rowland penny <rpenny at samba.org>
> > > On 21/07/16 06:08, Mark Foley wrote:
> > > > OK! I deleted the /etc/passwd entry for user mark and I
modified my
> > /etc/nsswitch.conf to:
> > > >
> > > > passwd: compat winbind
> > > > group: compat winbind
> > > >
> > > > I couldn't get sendmail working with this at first -- I
didn't know
> > what to [re]start to get
> > > > the new nsswitch config to take, so I rebooted. Probably I
just had to
> > restart sendmail, but oh
> > > > well.
> > > >
> > > > And, it started working ... sort of. Email to that user was
delivered
> > OK; meaning
> > > > sendmail/procmail were able to find the right IMAP folder to
deliver
> > mail.
> > > >
> > > > However, email from that sender is not working and I'm
sure one of you
> > geniuses can set me
> > > > straight. Here's my getent before deleting the
/etc/passwd entry and
> > before nsswitch changes:
> > > >
> > > > $ getent passwd mark
> > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> > > >
> > > > ... and after the changes:
> > > >
> > > > $ getent passwd mark
> > > > HPRS\mark:*:10001:10000:Mark
Foley:/home/HPRS/mark:/bin/false
> > >
> > > OK, you are running into one of the problems of using a DC as a
> > > fileserver here, the only RFC2307 attributes used from AD are
> > > 'uidNumber' & 'gidNumber'. You can get around
the users home placement
> > > and shell with a couple of lines in smb.conf:
> > >
> > >          template homedir = /home/%U
> > >          template shell = /bin/bash
> > >
> > > Restart Samba
> > >
> > > There is another line, which works on a domain member:
> > >
> > >      winbind use default domain = yes
> > >
> > > This (on a domain member) removes the NetBIOS domain name, but it
> > > doesn't seem to work on an AD DC.
> > >
> > > Rowland
> >
> > Actually, the homedir is fine, though that's a good setting to
know.  I
> > did add the "template
> > shell" and that worked, but I don't really care about the
shell (yet)
> > since this is not a
> > computer people log onto.
> >
> > Anyway, the problem is that getent is apparently returning HPRS\mark
as
> > the user to sendmail,
> > and sendmail is constructing the outgoing email address as HPRS\
> > mark at ohprs.org -- which is bad.
> >
> > I already have "winbind use default domain = yes".
> >
> > Maybe I need a rewrite rule in sendmail.
> >
> > btw - I've changed the subject line. This is not about
gssapi/kerberos.
> >
> > --Mark
> >
> > > >
> > > > See the difference? And here are a few mail log messages:
> > > >
> > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> > Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @
> > ohprs.org using -r
> > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
@ohprs.org...
> > User address required
> > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> > from="HPRS\\\\mark",
> > > >
> > > > Notice that it is now getting the userID as
"HPRS\mark", i.e.
> > domain\user, and the from address
> > > > ends up being HPRS\mark at ohprs.org, which sendmail is not
handling
> > well.
> > > >
> > > > Any ideas how to fix that?
> > > >
> > > > I'll check with the sendmail people also.
> > > >
> > > > Almost there! When I get this sorted out, I can remove my AD
users
> > from /etc/passwd which
> > > > should make Roland happy!
> > > >
> > > > --Mark
> > > >
> > > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 25/07/16 15:22, Mark Foley wrote:
> Mike,
>
> If the DC returns "DOMAIN\username", but domain members
(correctly?) return just "username", is
> this a bug in the DC? Is there some reason the DC essentially ignores the
"winbind use default
> domain = yes" and returns DOMAIN\username? It would seem to me that
sendmail would not be the
> only program stumbling on this.
>
> --Mark
>
>
The problem isn't that the DC returns 'DOMAIN\username' , it is that
adding 'winbind use default domain = yes' to smb.conf on the DC
doesn't
work. Without this line on a domain member, winbind returns the same 
result as on a DC i.e. DOMAIN\username. The further problem is that 
whilst the Samba devs are aware of this, they have other things to 
fix/make work and this comes low down on the scale.

If you can program in 'C', I am sure a Patch to fix your problem would 
be welcomed.

Rowland

Hi Mark,

I'm not sure why a DC ignores the "winbind use default domain =
yes"
setting.  Its not the only setting that a DC ignores and the only real hint
of DCs acting weird is the line in the introduction of the wiki about
setting Samba up as a DC that calls these "idiosyncrasies in the winbindd
configuration on the Active Directory Domain Controller."  Since it seems
to be a well known issue, I haven't ever filed a bug report against it.
I'm guessing the Samba devs have a reason for these
"idiosyncrasies", but
maybe it would be worth filing a bug report and that may shed some more
light on why it is, or has to be.

Being a lowly system admin, I just try to work around the issues I run
into, and that's why I suggested using sssd instead of winbind for the user
enumeration.  It (sssd) does drop the domain from the username (at least on
a member server it does) and so I think it would work for your situation.

Maybe one of the Samba devs can chime in on the "why" things seem to
be so
different for a DC.?

Mike E.


On Mon, Jul 25, 2016 at 10:22 AM, Mark Foley <mfoley at ohprs.org> wrote:
> Mike,
>
> If the DC returns "DOMAIN\username", but domain members
(correctly?)
> return just "username", is
> this a bug in the DC? Is there some reason the DC essentially ignores the
> "winbind use default
> domain = yes" and returns DOMAIN\username? It would seem to me that
> sendmail would not be the
> only program stumbling on this.
>
> --Mark
>
> -----Original Message-----
> > From: Data Control Systems - Mike Elkevizth <mike at
datacontrolsystems.com
> >
> > Date: Thu, 21 Jul 2016 12:30:19 -0400
> > Subject: Re: [Samba] sendmail getting domain\user as email userId
> [formerly:
> >  How to GSSAPI/Kerberos authenticate with Dovecot]
> > To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
> >
> > Hi Mark,
> >
> > I've had the same trouble with the DOMAIN\user on my DCs, and as
Rowland
> > has already pointed out, the "winbind use default domain =
yes" configure
> > option is not honored on a DC.  My guess is that is because a Samba DC
> can
> > only be a DC for one domain, so that is why it isn't honored.  If
I do
> > "getent passwd username" on my DCs, they all return
> > "DOMAIN\username:*:uidNumber:gidNumber:User
> > Name:/home/DOMAIN/username:/login/shell" which is the same thing
as
> "getent
> > passwd 'DOMAIN\username'" returns.  So you can probably
change the
> > configuration of sendmail to drop the "DOMAIN\" from the
start of the
> > username, although I'm not sure how to do that.  The other option
would
> be
> > to not use winbind, and to instead use sssd.  I've not tried this
on a
> DC,
> > but I can't see why it wouldn't work.  You would have to
remove winbind
> > from your nsswitch config and add the sssd entries.  Mine looks like
this
> > on my domain members:
> >
> >
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
installed,
> try:
> > # `info libc "Name Service Switch"' for information
about this file.
> >
> > passwd:         compat sss
> > group:          compat sss
> > shadow:         compat sss
> > gshadow:        files
> >
> > hosts:          files dns
> > networks:       files
> >
> > protocols:      db files
> > services:       db files sss
> >
> > ethers:         db files
> > rpc:            db files
> >
> > netgroup:       nis sss
> > sudoers:        files sss
> >
> >
> > My /etc/sssd/sssd.conf looks like this:
> >
> >
> > [sssd]
> > services = nss, pam
> > config_file_version = 2
> > domains = AD.REALM
> >
> > [domain/AD.REALM]
> > id_provider = ad
> > auth_provider = ad
> > access_provider = ad
> > chpass_provider = ad
> >
> > # Set to false if you want to use POSIX UIDs and GIDs set on the AD
side
> > ldap_id_mapping = False
> >
> > # Note that enabling enumeration will have a moderate performance
impact.
> > # Consequently, the default value for enumeration is FALSE.
> > # Refer to the sssd.conf man page for full details.
> > enumerate = true
> >
> > # Allow offline logins by locally storing password hashes (default:
> false).
> > #cache_credentials = true
> >
> >
> > This might be easier than trying to change the sendmail configuration
or
> > figuring out the "the idiosyncrasies in the winbindd
configuration on the
> > Active Directory Domain Controller" as described on the Samba
wiki
> >
>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller#Introduction
> >
> > Mike E.
> >
> >
> > On Thu, Jul 21, 2016 at 10:49 AM Mark Foley <mfoley at
ohprs.org> wrote:
> >
> > > > Date: Thu, 21 Jul 2016 08:56:54 +0100
> > > > From: Rowland penny <rpenny at samba.org>
> > > > On 21/07/16 06:08, Mark Foley wrote:
> > > > > OK! I deleted the /etc/passwd entry for user mark and I
modified my
> > > /etc/nsswitch.conf to:
> > > > >
> > > > > passwd: compat winbind
> > > > > group: compat winbind
> > > > >
> > > > > I couldn't get sendmail working with this at first
-- I didn't know
> > > what to [re]start to get
> > > > > the new nsswitch config to take, so I rebooted.
Probably I just
> had to
> > > restart sendmail, but oh
> > > > > well.
> > > > >
> > > > > And, it started working ... sort of. Email to that user
was
> delivered
> > > OK; meaning
> > > > > sendmail/procmail were able to find the right IMAP
folder to
> deliver
> > > mail.
> > > > >
> > > > > However, email from that sender is not working and
I'm sure one of
> you
> > > geniuses can set me
> > > > > straight. Here's my getent before deleting the
/etc/passwd entry
> and
> > > before nsswitch changes:
> > > > >
> > > > > $ getent passwd mark
> > > > > mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> > > > >
> > > > > ... and after the changes:
> > > > >
> > > > > $ getent passwd mark
> > > > > HPRS\mark:*:10001:10000:Mark
Foley:/home/HPRS/mark:/bin/false
> > > >
> > > > OK, you are running into one of the problems of using a DC
as a
> > > > fileserver here, the only RFC2307 attributes used from AD
are
> > > > 'uidNumber' & 'gidNumber'. You can get
around the users home
> placement
> > > > and shell with a couple of lines in smb.conf:
> > > >
> > > >          template homedir = /home/%U
> > > >          template shell = /bin/bash
> > > >
> > > > Restart Samba
> > > >
> > > > There is another line, which works on a domain member:
> > > >
> > > >      winbind use default domain = yes
> > > >
> > > > This (on a domain member) removes the NetBIOS domain name,
but it
> > > > doesn't seem to work on an AD DC.
> > > >
> > > > Rowland
> > >
> > > Actually, the homedir is fine, though that's a good setting
to know.  I
> > > did add the "template
> > > shell" and that worked, but I don't really care about
the shell (yet)
> > > since this is not a
> > > computer people log onto.
> > >
> > > Anyway, the problem is that getent is apparently returning
HPRS\mark as
> > > the user to sendmail,
> > > and sendmail is constructing the outgoing email address as HPRS\
> > > mark at ohprs.org -- which is bad.
> > >
> > > I already have "winbind use default domain = yes".
> > >
> > > Maybe I need a rewrite rule in sendmail.
> > >
> > > btw - I've changed the subject line. This is not about
gssapi/kerberos.
> > >
> > > --Mark
> > >
> > > > >
> > > > > See the difference? And here are a few mail log
messages:
> > > > >
> > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> > > Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to
@
> > > ohprs.org using -r
> > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
@ohprs.org...
> > > User address required
> > > > > Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987:
> > > from="HPRS\\\\mark",
> > > > >
> > > > > Notice that it is now getting the userID as
"HPRS\mark", i.e.
> > > domain\user, and the from address
> > > > > ends up being HPRS\mark at ohprs.org, which sendmail is
not handling
> > > well.
> > > > >
> > > > > Any ideas how to fix that?
> > > > >
> > > > > I'll check with the sendmail people also.
> > > > >
> > > > > Almost there! When I get this sorted out, I can remove
my AD users
> > > from /etc/passwd which
> > > > > should make Roland happy!
> > > > >
> > > > > --Mark
> > > > >
> > > > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 25/07/16 16:31, Data Control Systems - Mike Elkevizth
wrote:
> Hi Mark,
>
> I'm not sure why a DC ignores the "winbind use default domain =
yes"
> setting.  Its not the only setting that a DC ignores and the only real hint
> of DCs acting weird is the line in the introduction of the wiki about
> setting Samba up as a DC that calls these "idiosyncrasies in the
winbindd
> configuration on the Active Directory Domain Controller."  Since it
seems
> to be a well known issue, I haven't ever filed a bug report against it.
> I'm guessing the Samba devs have a reason for these
"idiosyncrasies", but
> maybe it would be worth filing a bug report and that may shed some more
> light on why it is, or has to be.
There is already a bug report for this: 
https://bugzilla.samba.org/show_bug.cgi?id=9780
>
> Being a lowly system admin, I just try to work around the issues I run
> into, and that's why I suggested using sssd instead of winbind for the
user
> enumeration.  It (sssd) does drop the domain from the username (at least on
> a member server it does) and so I think it would work for your situation.
This is the only reason I can think of for using sssd.
>
> Maybe one of the Samba devs can chime in on the "why" things seem
to be so
> different for a DC.?
It is just a lack time and, sorry to say, this isn't a priority.

Rowland
> Mike E.
>
>
>