Solved

sendmail - How to remove AD domain name from email userId

Posted on 2016-07-21
10
76 Views
Last Modified: 2016-07-28
I'm trying to switch sendmail (v. 8.14.9) to use Active Directory authentication on my Slackware64 14.1 mail server. I changed /etc/nsswitch.conf to:

passwd: compat winbind
group: compat winbind

I.e., I added windbind. To test, I remove user 'mark' from /etc/passwd. Before removing 'mark', `getent passwd mark` gave me:

mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

after the change I get:

HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false

Now, when this user tries to send an email, I get maillog errors like:
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ohprs.org using -r
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... User address required
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: from="HPRS\\\\mark",

Open in new window

Basically, sendmail is now trying to send as user HPRS\mark@ohprs.org:
   ----- The following addresses had permanent fatal errors -----
HPRS\mark@ohprs.org
    (reason: 550 5.1.1 <HPRS\mark@ohprs.org>... User unknown)
    (expanded from: HPRS\mark@ohprs.org)

Open in new window


Is there a way to make sendmail ignore the domain part of the userId?
0
Comment
Question by:jmarkfoley
  • 5
  • 5
10 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 41723981
One way is to configure winbind to presume the AD domain such that mark will tested against both winbind and on failure against local password file.

Presumably your sendmail config uses %u I am not sufficiently familiar with sendmail on whether there is an alternate way to reference the user or stripping out the realm.
The earlier suggestion would reduce the sendmail config through not requiring the differentiation by user entry of a local versus ad based user accounts.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 41724032
arnold:
One way is to configure winbind to presume the AD domain such that mark will tested against both winbind and on failure against local password file.
The idea is to not have domain users in the local password file.

I'm *sure* someone out there knows how to rewrite the username in sendmail to strip the domain portion.
0
 
LVL 78

Expert Comment

by:arnold
ID: 41724037
Took at /etc/samba/smb.conf
There is a portion that deals whether the realm/domain in your case HPRS will be presumed.

After the change, see if you can login by using just the username from an AD account to authenticate where there is no corresponding local account.

I.e. AD User somejoe that does not exists in /etc/passwd.
After the change a login with somejoe and password, will be authenticated and authorized against the AD.
Once this works, there will not be a HPRS\ reference in the %u portion of the sendmail email handling.

The more complicated option deals with adjusting/working with sendmail to configure it to query the AD/LDAP structure to convert/pull the email address rather than using the default %u@%d.....
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:jmarkfoley
ID: 41724104
arnold:
After the change, see if you can login by using just the username from an AD account ...
What change to smb.conf are you suggesting? If your talking about

winbind use default domain = yes

I currently have that set as above. My smb.conf:
[global]
        workgroup = HPRS
        realm = hprs.local
        netbios name = MAIL
        interfaces = lo, eth1
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

    winbind use default domain = yes
    template shell = /bin/bash

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    log level = 2 passdb:5 auth:10 winbind:2 lanman:10
    max log size = 1000


[netlogon]
        path = /var/lib/samba/sysvol/hprs.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[Users]
    path = /redirectedFolders/Users
    comment = user folders for redirection
    read only = No

[share]
    path = /var/lib/samba/share
    comment = Shared folder
    read only = No

Open in new window

0
 
LVL 78

Expert Comment

by:arnold
ID: 41726596
You have it set:
Winbind use default domain = true

If you only use , the username without the HPRS prefix, does the system authenticate the user in??

Look at the samba log to see what is happening.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 41727727
According to the Samba maillist, "the 'winbind use default domain = yes' configure option is not honored on a DC."

On the DC `getent passwd user` returns DOMAIN\username. On a domain member it returns just username, as expected. Perhaps a bug in Samba. The list respondent suggests configuring sendmail to drop the "DOMAIN\" bit.

If you only use , the username without the HPRS prefix, does the system authenticate the user in??

Not sure where you are talking about doing this? Logging in? Sendmail?
0
 
LVL 78

Expert Comment

by:arnold
ID: 41728076
You have to look at the sendmail.mc sendmail.cf to see the user definition.

I am not loo familiar with sendmail to assist you specifically/directly.

I
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 41728080
The setting might deal with the email client used to transmit/generate the message.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 41733645
Well, believe it or not ... it just started working! Perhaps I didn't restart sendmail, or samba, or both. I thought I did, but perhaps not. Anyway. It just works. I didn't have to do anything special.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 41733647
thanks for hanging in there!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AWS EC2 HTTP & HTTPS 2 79
Migrating users to new exchange 2010 DB 7 56
issue with cyrus-imap over ssl 2 37
edit firefox cookie settings via shell script on ubuntu 14? 1 39
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question