Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

sendmail - How to remove AD domain name from email userId

Posted on 2016-07-21
10
Medium Priority
?
100 Views
Last Modified: 2016-07-28
I'm trying to switch sendmail (v. 8.14.9) to use Active Directory authentication on my Slackware64 14.1 mail server. I changed /etc/nsswitch.conf to:

passwd: compat winbind
group: compat winbind

I.e., I added windbind. To test, I remove user 'mark' from /etc/passwd. Before removing 'mark', `getent passwd mark` gave me:

mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

after the change I get:

HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false

Now, when this user tries to send an email, I get maillog errors like:
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ohprs.org using -r
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... User address required
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: from="HPRS\\\\mark",

Open in new window

Basically, sendmail is now trying to send as user HPRS\mark@ohprs.org:
   ----- The following addresses had permanent fatal errors -----
HPRS\mark@ohprs.org
    (reason: 550 5.1.1 <HPRS\mark@ohprs.org>... User unknown)
    (expanded from: HPRS\mark@ohprs.org)

Open in new window


Is there a way to make sendmail ignore the domain part of the userId?
0
Comment
Question by:jmarkfoley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 41723981
One way is to configure winbind to presume the AD domain such that mark will tested against both winbind and on failure against local password file.

Presumably your sendmail config uses %u I am not sufficiently familiar with sendmail on whether there is an alternate way to reference the user or stripping out the realm.
The earlier suggestion would reduce the sendmail config through not requiring the differentiation by user entry of a local versus ad based user accounts.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 41724032
arnold:
One way is to configure winbind to presume the AD domain such that mark will tested against both winbind and on failure against local password file.
The idea is to not have domain users in the local password file.

I'm *sure* someone out there knows how to rewrite the username in sendmail to strip the domain portion.
0
 
LVL 79

Expert Comment

by:arnold
ID: 41724037
Took at /etc/samba/smb.conf
There is a portion that deals whether the realm/domain in your case HPRS will be presumed.

After the change, see if you can login by using just the username from an AD account to authenticate where there is no corresponding local account.

I.e. AD User somejoe that does not exists in /etc/passwd.
After the change a login with somejoe and password, will be authenticated and authorized against the AD.
Once this works, there will not be a HPRS\ reference in the %u portion of the sendmail email handling.

The more complicated option deals with adjusting/working with sendmail to configure it to query the AD/LDAP structure to convert/pull the email address rather than using the default %u@%d.....
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:jmarkfoley
ID: 41724104
arnold:
After the change, see if you can login by using just the username from an AD account ...
What change to smb.conf are you suggesting? If your talking about

winbind use default domain = yes

I currently have that set as above. My smb.conf:
[global]
        workgroup = HPRS
        realm = hprs.local
        netbios name = MAIL
        interfaces = lo, eth1
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

    winbind use default domain = yes
    template shell = /bin/bash

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    log level = 2 passdb:5 auth:10 winbind:2 lanman:10
    max log size = 1000


[netlogon]
        path = /var/lib/samba/sysvol/hprs.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[Users]
    path = /redirectedFolders/Users
    comment = user folders for redirection
    read only = No

[share]
    path = /var/lib/samba/share
    comment = Shared folder
    read only = No

Open in new window

0
 
LVL 79

Expert Comment

by:arnold
ID: 41726596
You have it set:
Winbind use default domain = true

If you only use , the username without the HPRS prefix, does the system authenticate the user in??

Look at the samba log to see what is happening.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 41727727
According to the Samba maillist, "the 'winbind use default domain = yes' configure option is not honored on a DC."

On the DC `getent passwd user` returns DOMAIN\username. On a domain member it returns just username, as expected. Perhaps a bug in Samba. The list respondent suggests configuring sendmail to drop the "DOMAIN\" bit.

If you only use , the username without the HPRS prefix, does the system authenticate the user in??

Not sure where you are talking about doing this? Logging in? Sendmail?
0
 
LVL 79

Expert Comment

by:arnold
ID: 41728076
You have to look at the sendmail.mc sendmail.cf to see the user definition.

I am not loo familiar with sendmail to assist you specifically/directly.

I
0
 
LVL 79

Accepted Solution

by:
arnold earned 2000 total points
ID: 41728080
The setting might deal with the email client used to transmit/generate the message.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 41733645
Well, believe it or not ... it just started working! Perhaps I didn't restart sendmail, or samba, or both. I thought I did, but perhaps not. Anyway. It just works. I didn't have to do anything special.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 41733647
thanks for hanging in there!
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question