[Samba] Winbind offline cache and strangeness...

[L.P.H. van Belle]

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 11 september 2020 12:29
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Winbind offline cache and strangeness...
> 
> 
> I've setup a portable system (ubuntu 16.04) joined to my AD domain,
> that in their primary network works as expected.
> 
> But in this 'COVID time', the portable start to roam around, and users
> say me that, suddenly after some days of use, get incredibly
> sloooowww... after that users reboot, and cannot get back in, login
> refused.

You checked the time offsets? 

> 
> I've setup a VPN, but clearly if users cannot login back, they cannot
> also fire up the VPN.
> 
> Some question:
> 
> 1) i know about:
> 	https://bugzilla.samba.org/show_bug.cgi?id=14074
>  but this seems not the case: users reboot the portable without
> trouble, it is only after some days of use that 'cache expire'
> (i suppose).
I think also. 
Run : klist where it stopped working. 
Verify it. 

> 
> 2) there's some way, supposing to found a way to fire up the VPN, to
>  force a reload of winbind cache? A full samba restart is needed?
How about, make a "pc" client cert for the VPN. That allows to setup and run the vpn tunnel.
And then re-auth agains samba to update the kerberos ticket. 
Also, in this case it might be usefull to change krb5.conf 
And here you might want add the realm part. 
Because, VPN, routing, splittunneling things like that. 

There a lot of options here, bit hard to tell..

> 
> 
> As a first 'countermeasure' we have created a local user to be able to
> refresh up the winbind cache, but simply firing up the VPN seems does
> not suffices.
> 
> Next week i will be able to put my hand on the portable, so i 
> will look at logs.
> 
> 
> In the meantime, thanks.

Your welkom, i hope you can use it. 
Have a greet weekend..

P.s. Showing some configs might help a lot. ;-) 


Greetz, 

Louis