[Samba] PC's needing reboot before validating AD passwords

[Ray Klassen]

This is the 3rd thread I've started on this topic and it's likely to be
short. Because the problem seems to have gone away.

Situation:
Windows 10 workstations, Windows 2019 server and one Linux install
(mine) based on winbind refused to validate current passwords until
they were rebooted. Once was usually enough. Some needed several
reboots. Afterward they would work as normal. Maybe this happened only
once per machine -- not sure about this-- but understandably I treated
the problem as if it could happen anytime to any computer, even if it
was a repeat on the same computer.

What may have precipitated this: 
Upgrade schema to 2012_R2, Upgrade functional level to 2008, upgrade
from samba 4.18.x to 4.19.2

What was done to come closer to best practices, with an eye to fixing
the problem:
Convert DNS from SAMBA_INTERNAL to BIND_DLZ
Upgrade functional level to 2012_R2

Information Gathering:
enabled audit on all DC's -- errors around the time of a failure looked
like an attempt by the computer to anonymously get a kerberos ticket
and no 'as usual' non-anonymous retry followed it

Hypothesis:
The problem has not appeared for a week now, when it was happening
everyday. My best guess is that something had to change on the client
end to accommodate the higher functional level. Once it changed, no
further change was necessary and the computer was 'ready.'

I'm posting this back or science. Someone may run into this.