[Samba] winbind : suspend nightmare

[Jon Gerdes]

On Wed, 2019-10-23 at 22:21 -0700, Jeremy Allison wrote:
> On Wed, Oct 23, 2019 at 11:58:33PM +0000, Jon Gerdes wrote:
> > winbind has a concept of offline and online but I don't know what
> > that
> > is, nor how nss works with it.  I've tried using smbcontrol to tell
> > winbind it is offline or online but that does not seem to work.
> > Restarting winbind normally gets my account working again. If I had
> > to
> > guess, then offline and online mean "network available" (layer 2/3)
> > and
> > not "AD available" (layer 3/4)
> 
> I implemented the 'winbind offline' code many years ago
> whilst working for SuSE to cover this exact use case.
> 
> It detects when it can't contact a DC and puts itself
> into the 'offline' mode, which means serve logins out
> of local cache. It should do this for whatever reason
> when it can't talk to a DC (network fail, DC not
> found etc. etc.).
> 
> On startup if winbind can't talk to a DC it sets
> a retry timer to go off every 10 seconds to try
> and re-connect to the DC. It keeps that timeout
> until it does contact a DC, when it resets the
> reconnect timer to be 30 seconds. If it loses
> connection to the DC after it has once made
> connection it puts itself in offline mode and
> then retries every 30 seconds.
> 
> The long (30) second timeout can be changed
> by setting the parameter:
> 
> winbind reconnect delay = X.
> 
> Hope this helps !
> 
> Jeremy.

Now I've had a chance to think about this and your notes, the way ahead
is looking clearer to me.  As you say, your code was written years ago
in the days when sysvinit was boss (I was using openrc back then as
well as sysvinit.)

My only modern use case is systemd and (probably) NetworkManager.  My
initial effort is going to be:

* System suspends to RAM or disc - shutdown the winbind service
* System wakes from RAM or disc - start winbind service

I initially thought to make winbind depend on network which will work
when net is available but delay or break an offline logon when net is
not available.

Windows seems to generally get the ogin experience right in most cases
but then MS gets to write all the code and declare all the APIs and
they get to break things at will for a laugh.  Given where Unixy stuff
came from and where X Windows and all the other gear in our preferred
OS started from, it is a bloody miracle that anything hangs together
(no it's not - we have some damn fine engineers working on our gear).

This all might all sound a bit naff to most people but the login
experience on a roaming device is really, really hard to get right.

wifi might need a login or a button click - Windows is a bit shit here.
You cannot accept a wifi arrangement on Win10 before login.  That means
your VPN has not started up (no trusted network) and that means you
have not authenticated yourself to your domain - you can only do cached
creds.

So, Mr A: Are you able to reliably login to a Linux powered laptop with
an AD mediated account?  I have to employ a few workarounds for several
scenarios.  wifi on/off, VPN on/off, wired vs wifi, IPv6 vs IPv4 are
some of the considerations.

Could I request you look at your winbind on/offline code with a modern
viewpoint.  I suspect you need to require the environment to tell
winbind what is happening to it rather than deploying a few randomly
chosen timers.

Cheers
Jon