samba - Oct 2017 - Managing Kerberos tickets via winbind on a laptop

Dear all

I'm not too sure where to start here - possibly a feature request. I am
getting great results with using Winbind to manage Kerberos tickets for Linux
workstations "joined" to an AD.

Fixed machines work beautifully - I have Raspberry Pis and PCs (running Arch and
Gentoo) and servers running Ubuntu LTS , all doing Kerberos against AD KDCs with
local logins via AD and local unix users as required, RDP inbound and outbound,
SSH in and out, email (Evolution) to Exchange, Firefox and Chrome/Chromium doing
their stuff with Squid, Apache and nginx and even IIS (shock, horror). Kerberos
just works.

Now, I'm moving out a bit and looking at laptops, where the network comes
and goes and could suddenly be on the end of a VPN, and the system can go to
sleep for a long time, often all at once. To be honest it still works pretty
well - but sometimes needs a bit of patience and a few prods.

When a (domain joined) laptop comes out of sleep I need it need to:

* Wake up hardware, basic OS
* Reconnect network (if known wifi, then easy - reconnect, if not then
that's another story and sort out VPN if applicable)
* Fix up time
* Realistically determine whether KDC is available or not - fall back to cached
login = yes - /etc/security/pam_winbind.conf and winbind offline logon  = yes in
smb.conf (this is a tricky one)
---- Short time out, say 5-10s or configurable, if needed to get the above to
work -----
* Refresh Kerberos tickets as needed, if KDC available
< ------ lock screen here
* User logs in, running apps work and job's a good 'un

What actually happens:
* Wake up hardware, basic OS
*** stuff, user speed dependent ***
<----- lock screen here
*** Some times Evo connects first time and so do web browsers etc and all is
lovely
*** Wait a while and the Kerb tickets are refreshed and everything works
*** Sometimes I lose patience and restart winbind or start making pointed use of
"net ads info, as root" and the Kerberos dependent apps suddenly start
working

I've read all the docs I can on winbind (including man pages) and I
can't see an easy (progammatic, say via KDE events) way to kick it into
refreshing Kerberos tickets on demand. It is clearly able to notice when the
network is available or not because it will do the job eventually.

Cheers
Jon