• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 129
  • Last Modified:

sendmail - How to remove AD domain name from email userId

I'm trying to switch sendmail (v. 8.14.9) to use Active Directory authentication on my Slackware64 14.1 mail server. I changed /etc/nsswitch.conf to:

passwd: compat winbind
group: compat winbind

I.e., I added windbind. To test, I remove user 'mark' from /etc/passwd. Before removing 'mark', `getent passwd mark` gave me:

mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

after the change I get:

HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false

Now, when this user tries to send an email, I get maillog errors like:
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ohprs.org using -r
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... User address required
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: from="HPRS\\\\mark",

Open in new window

Basically, sendmail is now trying to send as user HPRS\mark@ohprs.org:
   ----- The following addresses had permanent fatal errors -----
HPRS\mark@ohprs.org
    (reason: 550 5.1.1 <HPRS\mark@ohprs.org>... User unknown)
    (expanded from: HPRS\mark@ohprs.org)

Open in new window


Is there a way to make sendmail ignore the domain part of the userId?
0
jmarkfoley
Asked:
jmarkfoley
  • 5
  • 5
1 Solution
 
arnoldCommented:
One way is to configure winbind to presume the AD domain such that mark will tested against both winbind and on failure against local password file.

Presumably your sendmail config uses %u I am not sufficiently familiar with sendmail on whether there is an alternate way to reference the user or stripping out the realm.
The earlier suggestion would reduce the sendmail config through not requiring the differentiation by user entry of a local versus ad based user accounts.
0
 
jmarkfoleyAuthor Commented:
arnold:
One way is to configure winbind to presume the AD domain such that mark will tested against both winbind and on failure against local password file.
The idea is to not have domain users in the local password file.

I'm *sure* someone out there knows how to rewrite the username in sendmail to strip the domain portion.
0
 
arnoldCommented:
Took at /etc/samba/smb.conf
There is a portion that deals whether the realm/domain in your case HPRS will be presumed.

After the change, see if you can login by using just the username from an AD account to authenticate where there is no corresponding local account.

I.e. AD User somejoe that does not exists in /etc/passwd.
After the change a login with somejoe and password, will be authenticated and authorized against the AD.
Once this works, there will not be a HPRS\ reference in the %u portion of the sendmail email handling.

The more complicated option deals with adjusting/working with sendmail to configure it to query the AD/LDAP structure to convert/pull the email address rather than using the default %u@%d.....
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
jmarkfoleyAuthor Commented:
arnold:
After the change, see if you can login by using just the username from an AD account ...
What change to smb.conf are you suggesting? If your talking about

winbind use default domain = yes

I currently have that set as above. My smb.conf:
[global]
        workgroup = HPRS
        realm = hprs.local
        netbios name = MAIL
        interfaces = lo, eth1
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

    winbind use default domain = yes
    template shell = /bin/bash

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    log level = 2 passdb:5 auth:10 winbind:2 lanman:10
    max log size = 1000


[netlogon]
        path = /var/lib/samba/sysvol/hprs.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[Users]
    path = /redirectedFolders/Users
    comment = user folders for redirection
    read only = No

[share]
    path = /var/lib/samba/share
    comment = Shared folder
    read only = No

Open in new window

0
 
arnoldCommented:
You have it set:
Winbind use default domain = true

If you only use , the username without the HPRS prefix, does the system authenticate the user in??

Look at the samba log to see what is happening.
0
 
jmarkfoleyAuthor Commented:
According to the Samba maillist, "the 'winbind use default domain = yes' configure option is not honored on a DC."

On the DC `getent passwd user` returns DOMAIN\username. On a domain member it returns just username, as expected. Perhaps a bug in Samba. The list respondent suggests configuring sendmail to drop the "DOMAIN\" bit.

If you only use , the username without the HPRS prefix, does the system authenticate the user in??

Not sure where you are talking about doing this? Logging in? Sendmail?
0
 
arnoldCommented:
You have to look at the sendmail.mc sendmail.cf to see the user definition.

I am not loo familiar with sendmail to assist you specifically/directly.

I
0
 
arnoldCommented:
The setting might deal with the email client used to transmit/generate the message.
0
 
jmarkfoleyAuthor Commented:
Well, believe it or not ... it just started working! Perhaps I didn't restart sendmail, or samba, or both. I thought I did, but perhaps not. Anyway. It just works. I didn't have to do anything special.
0
 
jmarkfoleyAuthor Commented:
thanks for hanging in there!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now