On 25/07/16 16:31, Data Control Systems - Mike Elkevizth wrote:> Hi Mark, > > I'm not sure why a DC ignores the "winbind use default domain = yes" > setting. Its not the only setting that a DC ignores and the only real hint > of DCs acting weird is the line in the introduction of the wiki about > setting Samba up as a DC that calls these "idiosyncrasies in the winbindd > configuration on the Active Directory Domain Controller." Since it seems > to be a well known issue, I haven't ever filed a bug report against it. > I'm guessing the Samba devs have a reason for these "idiosyncrasies", but > maybe it would be worth filing a bug report and that may shed some more > light on why it is, or has to be.There is already a bug report for this: https://bugzilla.samba.org/show_bug.cgi?id=9780> > Being a lowly system admin, I just try to work around the issues I run > into, and that's why I suggested using sssd instead of winbind for the user > enumeration. It (sssd) does drop the domain from the username (at least on > a member server it does) and so I think it would work for your situation.This is the only reason I can think of for using sssd.> > Maybe one of the Samba devs can chime in on the "why" things seem to be so > different for a DC.?It is just a lack time and, sorry to say, this isn't a priority. Rowland> Mike E. > > >
Well, ladies and gentlemen -- it's now working! Sendmail *is* authenticating with the nsswitch.conf settings (winbind added): passwd: compat winbind shadow: compat winbind group: compat winbind and with the AD user REMOVED from /etc/passwd. All is well. I did nothing, no patching of sendmail, no username rewrite rule in sendmail.[mc|cf]. I can't really explain what changed. Perhaps restarting sendmail and/or samba? I don't remember. I didn't reboot, but samba is automatically stopped/started during a wee-hours daily backup and is also restarted weekly by logrotate. I did modify /etc/mail/aliases for unrelated reasons and restarted sendmail thereafter. I'm guessing that restarting one or both of these programs did the trick. I should follow my own advice to my users: try rebooting first! It solves a world of problems. So, Mr. Penny, you will be pleased to know that henceforth I WILL NOT have AD users also in /etc/passwd (well, except for 2 Outlook stragglers for whom I've not yet figured out how to dovecot NTLM authenticate ... working on it; unless I can get them to switch the Thunderbird first!). I've not checked the documentation, but I would suggest adding the winbind settings to the docs for the AD/DC setup wiki, if missing. You explictly gave me those settings for configuring a domain member for single-sign-on last year, and I believe you incorporated that info into the domain member wiki. Being able to authenticate *on* the AC/DC does not necessarily imply its use as a file server. Programs should be able to authenticate when running on the AC/DC. Thanks!!! --Mark -----Original Message-----> To: samba at lists.samba.org > From: Rowland penny <rpenny at samba.org> > Date: Mon, 25 Jul 2016 16:59:36 +0100 > Subject: Re: [Samba] sendmail getting domain\user as email userId > > On 25/07/16 16:31, Data Control Systems - Mike Elkevizth wrote: > > Hi Mark, > > > > I'm not sure why a DC ignores the "winbind use default domain = yes" > > setting. Its not the only setting that a DC ignores and the only real hint > > of DCs acting weird is the line in the introduction of the wiki about > > setting Samba up as a DC that calls these "idiosyncrasies in the winbindd > > configuration on the Active Directory Domain Controller." Since it seems > > to be a well known issue, I haven't ever filed a bug report against it. > > I'm guessing the Samba devs have a reason for these "idiosyncrasies", but > > maybe it would be worth filing a bug report and that may shed some more > > light on why it is, or has to be. > > There is already a bug report for this: > https://bugzilla.samba.org/show_bug.cgi?id=9780 > > > > > Being a lowly system admin, I just try to work around the issues I run > > into, and that's why I suggested using sssd instead of winbind for the user > > enumeration. It (sssd) does drop the domain from the username (at least on > > a member server it does) and so I think it would work for your situation. > > This is the only reason I can think of for using sssd. > > > > > Maybe one of the Samba devs can chime in on the "why" things seem to be so > > different for a DC.? > > It is just a lack time and, sorry to say, this isn't a priority. > > Rowland > > > Mike E. > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 26/07/16 21:43, Mark Foley wrote:> Well, ladies and gentlemen -- it's now working! Sendmail *is* authenticating with the > nsswitch.conf settings (winbind added): > > passwd: compat winbind > shadow: compat winbind > group: compat winbind > > and with the AD user REMOVED from /etc/passwd. All is well. I did nothing, no patching of > sendmail, no username rewrite rule in sendmail.[mc|cf]. > > I can't really explain what changed. Perhaps restarting sendmail and/or samba? I don't > remember. I didn't reboot, but samba is automatically stopped/started during a wee-hours daily > backup and is also restarted weekly by logrotate. I did modify /etc/mail/aliases for unrelated > reasons and restarted sendmail thereafter. > > I'm guessing that restarting one or both of these programs did the trick. I should follow my > own advice to my users: try rebooting first! It solves a world of problems. > > So, Mr. Penny, you will be pleased to know that henceforth I WILL NOT have AD users also in > /etc/passwd (well, except for 2 Outlook stragglers for whom I've not yet figured out how to > dovecot NTLM authenticate ... working on it; unless I can get them to switch the Thunderbird > first!). > > I've not checked the documentation, but I would suggest adding the winbind settings to the docs > for the AD/DC setup wiki, if missing. You explictly gave me those settings for configuring a > domain member for single-sign-on last year, and I believe you incorporated that info into the > domain member wiki. > > Being able to authenticate *on* the AC/DC does not necessarily imply its use as a file server. > Programs should be able to authenticate when running on the AC/DC. > > Thanks!!! --Mark > >Glad to see you got it work :-) As for the info you would like adding to the wiki, it used to be there, but when the wiki was re-written, it was removed. The thinking seemed to be, as samba doesn't recommend using the DC as a fileserver, it shouldn't be there. Samba has been recommending not using the DC as a fileserver since version 4 was first released, this was nearly 4 years ago. Perhaps, due to the many changes since the first release, it is time to reconsider this recommendation. Rowland
Maybe Matching Threads
- Why is Samba4 not recommended as a file server?
- sendmail getting domain\user as email userId
- sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]
- sendmail getting domain\user as email userId
- sendmail getting domain\user as email userId [formerly: How to GSSAPI/Kerberos authenticate with Dovecot]