I』m going to assume that you can get all the componets on the system properly installed and compiled. Just in case here is a link explainging how to compile sendmail with SMTP auth.
The three lines above(formating issue) should be put in the sendmail.mc file with the rest of the defines. Produce your .cf files via m4, or a make file(redhat folks). Once again, I assume that you』ve done this before, if not look here .
Configure pam.d to use kerberos for authentication with SMTP only:
I』ve setup a file in /etc/pam.d/ named smtp. I』ve listed the contents below.
This file is from my RedHat install and it may not work on other versions of linux, since I』m relying on the default authentication stack. The pam_krb5 line is what does all the magic, and it should work on any system once inserted into the proper pam.d file.
Need help with pam? So does everyone. This articleexplains it decently.
This file configures Kerberos5, and it has been my experience that the Active Directory AD controller will authenticate linux machines without much issue, provided you configure the krb5.conf file properly. Mainly it』s setting the kerberos5 domain, and DNS domain properly, but its also important to set the Domain Controler to the KDC. MS』s attempt at adopting standards makes this much easier than the day of NT4 and LANMAN2.
Replace ACTIVEDIRECTORY.LOCAL with your ActiveDirectory』s namespace. For example if your AD is somecompany.com, you would replace ACTIVEDIRECTORY.LOCAL with SOMECOMPANY.COM.
Replace the kdc and adminservers with the fully qualified DNS name one of your AD controlers. For example at somecompany.com with a DC of dc.somecompany.com, your would enter kdc = dc.somecompany.com.
If you have a activedirectory / dns space mismatch this is a little more complicated, but I』m not going to cover it here. Leave a coment if your curious and I』ll explain.
Create valid UID entries for your AD users:
I』m not sure why, but this setup requires that all your AD users have UID that are accessable to the mail server. My guess if your running both Linux and Windows you may have come across this before. For large environment you may want to install Services For Unix(SFU) and configure nss_ldap. You can also use NIS from SFU or NIS from a unix server, but it complicates the security. Alternatively, if you have the time you can create an entry for all the AD users in /etc/passwd and /etc/shadow.
If you use NIS or the passwd/shadow method, make sure to disable normal password. Authenticate using kerberos only.
Starting Saslauthd:
Make sure it includes the authentication method for pam: # saslauthd -a pam
Restart Sendmail: # /etc/init.d/sendmail restart
Now authentication for sendmail should be working, and it will be using your ActiveDirectory for passwords.
As a side note, your clocks need to be fairly accurate with respect to each other. Computers in the ActiveDirectory typically sync time using SNTP. Before you try any of this sync your time with the AD server using ntpdate, i.e. ntpdate dc.activedirectory.local. Authentication will start to fail once the clock scew gets too large, so you should also configure ntpd.
