[Samba] Odd VPN connectivity problem

Jon Gerdes gerdesj at blueloop.net
Thu Nov 19 21:15:35 UTC 2020

On Thu, 2020-11-19 at 15:56 +0100, Marco Gaiarin via samba wrote:
> Mandi! Jon Gerdes via samba
>   In chel di` si favelave...
> > I think I have painted myself into a corner!  It looks like SNAT is needed or a feature request/bug for winbind.  My
> AFAIK it is not a bug of winbind, but a feature of linux, that reply
> ever with the 'nearest ip', not the 'calling/called' one...

Again, thanks a lot for the responses.  This has been causing me problems for months now.  Within a day of some sensible
answers I hit on the solution.  I had, of course, not given you all the details.  One of our office DCs lives at home
with me.  On another VLAN from my laptop.  There's a site to site VPN for both IPv4 and 6.  I have quite an involved
home IT setup 8)

When I start up my laptop, winbind queries the domain and connects to the local DC as it should and all is fine.  I
login.  I then decide to connect my local laptop VPN so that I can "be" in the office and hence use the office VPNs etc
to connect to customer sites.  At this point, winbind tries to talk to my home DC but the VPN sends the TCP traffic up
the link.  UDP works OK because it is connectionless.  When winbind uses CLDAP it still picks my local DC because it
sees the address as more local, which is fair enough.

I fixed it by putting a static route for my entire network via my local gateway.  That overrides the VPN routing by
being more specific.  My home VLANs IPv4 are all /24 and aggregate to a single /16.  I could have fixed it with a /32
for the DC but although everything else seems to work there will be other things that work like winbind that I'm not
aware about.

I'm putting this one down as a win for the list, even though I fixed it myself.  I needed some sensible counter
arguments and discussion to jog the grey cells.  I feel a bit daft now that I didn't sort this out months ago.

Thanks again.

More information about the samba mailing list