[Samba] Odd VPN connectivity problem
Jon Gerdes
gerdesj at blueloop.net
Thu Nov 19 00:02:38 UTC 2020
Dear all
My laptop running Arch Linux is domain joined to the office AD domain. I run winbind locally (smb.conf below.) I can
use Kerberos and cifs with autofs to make Windows shares appear on demand. pam_winbind etc just works. Lovely.
I then fire up my laptop road-warrior VPN - I need to appear to be coming from the office for a lot of my customers. At
this point my AD connection stops working properly.
Wireshark and looking at the logs shows that when I use my VPN, the CLDAP over UDP phase works fine, where winbind looks
for AD details. I see loads of queries and sensible responses.
Once winbind is happy that it knows what is what (which site, IPs etc), it switches to LDAP over TCP. That's where it
goes wrong. Wireshark watching the VPN tunnel sees a SYN, SYN-ACK, RST. I've checked that sequence numbers are OK.
I've eliminated things like MTU - I can run 1472 byte pings (ipv4) or 1452 (ipv6) across the VPN. IPv4 and IPv6 are in
play but both work fine outside of this. I can run LDAP searches from my laptop using ldapsearch.
I think that winbind is binding to an address and claiming to be the wrong one when the VPN is running and hence
breaking things. I've tried "bind interfaces only" but that does not work.
Cheers
Jon
# /etc/samba/smb.conf
# JG 8 Nov 2016
# JG 7 Apr 2017
# https://wiki.samba.org/index.php/Samba_4.3_Features_added/changed
# 3 Sep 2020 - add multi channel supprt
[global]
bind interfaces only = yes
interfaces = wlp* 127.0.0.1 ::1
workgroup = BLUELOOP
realm = BLUELOOP.NET
server string = Samba Server
security = ADS
kerberos method = secrets and keytab
kerberos encryption types = strong
dedicated keytab file = /etc/krb5.keytab
obey pam restrictions = yes
client min protocol = SMB2_10
server min protocol = SMB3_11
client signing = mandatory
server signing = mandatory
server multi channel support = yes
aio read size = 1
aio write size = 1
logging = file
log level = 5 winbind:10
max log size = 1024
debug uid = yes
printcap name = cups
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config BLUELOOP : backend = rid
idmap config BLUELOOP : range = 10000 - 19999
idmap negative cache time = 5
local master = no
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes
winbind expand groups = 2
winbind use default domain = yes
winbind offline logon = yes
winbind expand groups = yes
winbind refresh tickets = yes
winbind reconnect delay = 5
winbind cache time = 10
guest account = nobody
map to guest = never
guest ok = no
[homes]
comment = Home Directories
read only = no
browseable = no
[shared]
path = /srv/shared
comment = Shared data
read only = no
browseable = yes
More information about the samba
mailing list