Solved

sendmail - How to remove AD domain name from email userId

Posted on 2016-07-21
10
71 Views
Last Modified: 2016-07-28
I'm trying to switch sendmail (v. 8.14.9) to use Active Directory authentication on my Slackware64 14.1 mail server. I changed /etc/nsswitch.conf to:

passwd: compat winbind
group: compat winbind

I.e., I added windbind. To test, I remove user 'mark' from /etc/passwd. Before removing 'mark', `getent passwd mark` gave me:

mark:x:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash

after the change I get:

HPRS\mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/false

Now, when this user tries to send an email, I get maillog errors like:
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: Authentication-Warning: mail.hprs.local: HPRS\\mark set sender to @ohprs.org using -r
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: @ohprs.org... User address required
Jul 21 00:46:35 mail sendmail[15987]: u6L4kZms015987: from="HPRS\\\\mark",

Open in new window

Basically, sendmail is now trying to send as user HPRS\mark@ohprs.org:
   ----- The following addresses had permanent fatal errors -----
HPRS\mark@ohprs.org
    (reason: 550 5.1.1 <HPRS\mark@ohprs.org>... User unknown)
    (expanded from: HPRS\mark@ohprs.org)

Open in new window


Is there a way to make sendmail ignore the domain part of the userId?
0
Comment
Question by:jmarkfoley
  • 5
  • 5
10 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 41723981
One way is to configure winbind to presume the AD domain such that mark will tested against both winbind and on failure against local password file.

Presumably your sendmail config uses %u I am not sufficiently familiar with sendmail on whether there is an alternate way to reference the user or stripping out the realm.
The earlier suggestion would reduce the sendmail config through not requiring the differentiation by user entry of a local versus ad based user accounts.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 41724032
arnold:
One way is to configure winbind to presume the AD domain such that mark will tested against both winbind and on failure against local password file.
The idea is to not have domain users in the local password file.

I'm *sure* someone out there knows how to rewrite the username in sendmail to strip the domain portion.
0
 
LVL 77

Expert Comment

by:arnold
ID: 41724037
Took at /etc/samba/smb.conf
There is a portion that deals whether the realm/domain in your case HPRS will be presumed.

After the change, see if you can login by using just the username from an AD account to authenticate where there is no corresponding local account.

I.e. AD User somejoe that does not exists in /etc/passwd.
After the change a login with somejoe and password, will be authenticated and authorized against the AD.
Once this works, there will not be a HPRS\ reference in the %u portion of the sendmail email handling.

The more complicated option deals with adjusting/working with sendmail to configure it to query the AD/LDAP structure to convert/pull the email address rather than using the default %u@%d.....
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 1

Author Comment

by:jmarkfoley
ID: 41724104
arnold:
After the change, see if you can login by using just the username from an AD account ...
What change to smb.conf are you suggesting? If your talking about

winbind use default domain = yes

I currently have that set as above. My smb.conf:
[global]
        workgroup = HPRS
        realm = hprs.local
        netbios name = MAIL
        interfaces = lo, eth1
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes

    winbind use default domain = yes
    template shell = /bin/bash

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    log level = 2 passdb:5 auth:10 winbind:2 lanman:10
    max log size = 1000


[netlogon]
        path = /var/lib/samba/sysvol/hprs.local/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[Users]
    path = /redirectedFolders/Users
    comment = user folders for redirection
    read only = No

[share]
    path = /var/lib/samba/share
    comment = Shared folder
    read only = No

Open in new window

0
 
LVL 77

Expert Comment

by:arnold
ID: 41726596
You have it set:
Winbind use default domain = true

If you only use , the username without the HPRS prefix, does the system authenticate the user in??

Look at the samba log to see what is happening.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 41727727
According to the Samba maillist, "the 'winbind use default domain = yes' configure option is not honored on a DC."

On the DC `getent passwd user` returns DOMAIN\username. On a domain member it returns just username, as expected. Perhaps a bug in Samba. The list respondent suggests configuring sendmail to drop the "DOMAIN\" bit.

If you only use , the username without the HPRS prefix, does the system authenticate the user in??

Not sure where you are talking about doing this? Logging in? Sendmail?
0
 
LVL 77

Expert Comment

by:arnold
ID: 41728076
You have to look at the sendmail.mc sendmail.cf to see the user definition.

I am not loo familiar with sendmail to assist you specifically/directly.

I
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 41728080
The setting might deal with the email client used to transmit/generate the message.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 41733645
Well, believe it or not ... it just started working! Perhaps I didn't restart sendmail, or samba, or both. I thought I did, but perhaps not. Anyway. It just works. I didn't have to do anything special.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 41733647
thanks for hanging in there!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

806 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question