[Samba] Odd VPN connectivity problem

Jon Gerdes gerdesj at blueloop.net
Thu Nov 19 00:02:38 UTC 2020

Dear all

My laptop running Arch Linux is domain joined to the office AD domain.  I run winbind locally (smb.conf below.)  I can
use Kerberos and cifs with autofs to make Windows shares appear on demand. pam_winbind etc just works. Lovely.

I then fire up my laptop road-warrior VPN - I need to appear to be coming from the office for a lot of my customers.  At
this point my AD connection stops working properly.

Wireshark and looking at the logs shows that when I use my VPN, the CLDAP over UDP phase works fine, where winbind looks
for AD details.  I see loads of queries and sensible responses. 

Once winbind is happy that it knows what is what (which site, IPs etc), it switches to LDAP over TCP.  That's where it
goes wrong.  Wireshark watching the VPN tunnel sees a SYN, SYN-ACK, RST.  I've checked that sequence numbers are OK.

I've eliminated things like MTU - I can run 1472 byte pings (ipv4) or 1452 (ipv6) across the VPN.  IPv4 and IPv6 are in
play but both work fine outside of this. I can run LDAP searches from my laptop using ldapsearch.

I think that winbind is binding to an address and claiming to be the wrong one when the VPN is running and hence
breaking things.  I've tried "bind interfaces only" but that does not work.  


# /etc/samba/smb.conf
# JG 8 Nov 2016
# JG 7 Apr 2017
# https://wiki.samba.org/index.php/Samba_4.3_Features_added/changed
# 3 Sep 2020 - add multi channel supprt


        bind interfaces only = yes
        interfaces           = wlp* ::1

        workgroup     = BLUELOOP
        realm         = BLUELOOP.NET
        server string = Samba Server

        security                  = ADS
        kerberos method           = secrets and keytab
        kerberos encryption types = strong
        dedicated keytab file     = /etc/krb5.keytab
        obey pam restrictions     = yes

        client min protocol   = SMB2_10
        server min protocol   = SMB3_11
        client signing        = mandatory
        server signing        = mandatory

        server multi channel support = yes
        aio read size                = 1
        aio write size               = 1

        logging        = file
        log level      = 5 winbind:10
        max log size   = 1024
        debug uid      = yes
        printcap name  = cups

        idmap config * : backend = tdb
        idmap config * : range   = 1000000-1999999

        idmap config BLUELOOP : backend = rid
        idmap config BLUELOOP : range   = 10000 - 19999
        idmap negative cache time  = 5

        local master = no

        template shell             = /bin/bash

        winbind enum users         = yes
        winbind enum groups        = yes
        winbind expand groups      = 2
        winbind use default domain = yes
        winbind offline logon      = yes
        winbind expand groups      = yes
        winbind refresh tickets    = yes
        winbind reconnect delay    = 5
        winbind cache time         = 10

        guest account = nobody
        map to guest  = never
        guest ok      = no

        comment    = Home Directories
        read only  = no
        browseable = no

        path       = /srv/shared
        comment    = Shared data
        read only  = no
        browseable = yes

More information about the samba mailing list