Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

sendmail - How to remove AD domain name from email userId

Posted on 2016-07-21
10
Medium Priority
?
109 Views
Last Modified: 2016-07-28
I'm trying to switch sendmail (v. 8.14.9) to use Active Directory authentication on my Slackware64 14.1 mail server. I changed /etc/nsswitch.conf to:

passwd: compat winbind
group: compat winbind

I.e., I added windbind. To test, I remove user 'mark' from /etc/passwd. Before removing 'mark', `getent passwd mark` gave me:

mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

after the change I get:

HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false

Now, when this user tries to send an email, I get maillog errors like:
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ohprs.org using -r
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... User address required
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: from="HPRS\\\\mark",

Open in new window

Basically, sendmail is now trying to send as user HPRS\mark@ohprs.org:
   ----- The following addresses had permanent fatal errors -----
HPRS\mark@ohprs.org
    (reason: 550 5.1.1 <HPRS\mark@ohprs.org>... User unknown)
    (expanded from: HPRS\mark@ohprs.org)

Open in new window


Is there a way to make sendmail ignore the domain part of the userId?
0
Comment
Question by:jmarkfoley
  • 5
  • 5
10 Comments
 
LVL 80

Expert Comment

by:arnold
ID: 41723981
One way is to configure winbind to presume the AD domain such that mark will tested against both winbind and on failure against local password file.

Presumably your sendmail config uses %u I am not sufficiently familiar with sendmail on whether there is an alternate way to reference the user or stripping out the realm.
The earlier suggestion would reduce the sendmail config through not requiring the differentiation by user entry of a local versus ad based user accounts.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 41724032
arnold:
One way is to configure winbind to presume the AD domain such that mark will tested against both winbind and on failure against local password file.
The idea is to not have domain users in the local password file.

I'm *sure* someone out there knows how to rewrite the username in sendmail to strip the domain portion.
0
 
LVL 80

Expert Comment

by:arnold
ID: 41724037
Took at /etc/samba/smb.conf
There is a portion that deals whether the realm/domain in your case HPRS will be presumed.

After the change, see if you can login by using just the username from an AD account to authenticate where there is no corresponding local account.

I.e. AD User somejoe that does not exists in /etc/passwd.
After the change a login with somejoe and password, will be authenticated and authorized against the AD.
Once this works, there will not be a HPRS\ reference in the %u portion of the sendmail email handling.

The more complicated option deals with adjusting/working with sendmail to configure it to query the AD/LDAP structure to convert/pull the email address rather than using the default %u@%d.....
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:jmarkfoley
ID: 41724104
arnold:
After the change, see if you can login by using just the username from an AD account ...
What change to smb.conf are you suggesting? If your talking about

winbind use default domain = yes

I currently have that set as above. My smb.conf:
[global]
        workgroup = HPRS
        realm = hprs.local
        netbios name = MAIL
        interfaces = lo, eth1
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

    winbind use default domain = yes
    template shell = /bin/bash

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    log level = 2 passdb:5 auth:10 winbind:2 lanman:10
    max log size = 1000


[netlogon]
        path = /var/lib/samba/sysvol/hprs.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[Users]
    path = /redirectedFolders/Users
    comment = user folders for redirection
    read only = No

[share]
    path = /var/lib/samba/share
    comment = Shared folder
    read only = No

Open in new window

0
 
LVL 80

Expert Comment

by:arnold
ID: 41726596
You have it set:
Winbind use default domain = true

If you only use , the username without the HPRS prefix, does the system authenticate the user in??

Look at the samba log to see what is happening.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 41727727
According to the Samba maillist, "the 'winbind use default domain = yes' configure option is not honored on a DC."

On the DC `getent passwd user` returns DOMAIN\username. On a domain member it returns just username, as expected. Perhaps a bug in Samba. The list respondent suggests configuring sendmail to drop the "DOMAIN\" bit.

If you only use , the username without the HPRS prefix, does the system authenticate the user in??

Not sure where you are talking about doing this? Logging in? Sendmail?
0
 
LVL 80

Expert Comment

by:arnold
ID: 41728076
You have to look at the sendmail.mc sendmail.cf to see the user definition.

I am not loo familiar with sendmail to assist you specifically/directly.

I
0
 
LVL 80

Accepted Solution

by:
arnold earned 2000 total points
ID: 41728080
The setting might deal with the email client used to transmit/generate the message.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 41733645
Well, believe it or not ... it just started working! Perhaps I didn't restart sendmail, or samba, or both. I thought I did, but perhaps not. Anyway. It just works. I didn't have to do anything special.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 41733647
thanks for hanging in there!
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question