samba - Nov 2020 - Odd VPN connectivity problem

Dear all

My laptop running Arch Linux is domain joined to the office AD domain.  I run
winbind locally (smb.conf below.)  I can
use Kerberos and cifs with autofs to make Windows shares appear on demand.
pam_winbind etc just works. Lovely.

I then fire up my laptop road-warrior VPN - I need to appear to be coming from
the office for a lot of my customers.  At
this point my AD connection stops working properly.

Wireshark and looking at the logs shows that when I use my VPN, the CLDAP over
UDP phase works fine, where winbind looks
for AD details.  I see loads of queries and sensible responses.?

Once winbind is happy that it knows what is what (which site, IPs etc), it
switches to LDAP over TCP.  That's where it
goes wrong.  Wireshark watching the VPN tunnel sees a SYN, SYN-ACK, RST. 
I've checked that sequence numbers are OK.

I've eliminated things like MTU - I can run 1472 byte pings (ipv4) or 1452
(ipv6) across the VPN.  IPv4 and IPv6 are in
play but both work fine outside of this. I can run LDAP searches from my laptop
using ldapsearch.

I think that winbind is binding to an address and claiming to be the wrong one
when the VPN is running and hence
breaking things.  I've tried "bind interfaces only" but that does
not work.

Cheers
Jon







# /etc/samba/smb.conf
# JG 8 Nov 2016
# JG 7 Apr 2017
# https://wiki.samba.org/index.php/Samba_4.3_Features_added/changed
# 3 Sep 2020 - add multi channel supprt


[global]

        bind interfaces only = yes
        interfaces           = wlp* 127.0.0.1 ::1

        workgroup     = BLUELOOP
        realm         = BLUELOOP.NET
        server string = Samba Server

        security                  = ADS
        kerberos method           = secrets and keytab
        kerberos encryption types = strong
        dedicated keytab file     = /etc/krb5.keytab
        obey pam restrictions     = yes

        client min protocol   = SMB2_10
        server min protocol   = SMB3_11
        client signing        = mandatory
        server signing        = mandatory

        server multi channel support = yes
        aio read size                = 1
        aio write size               = 1

        logging        = file
        log level      = 5 winbind:10
        max log size   = 1024
        debug uid      = yes
        printcap name  = cups

        idmap config * : backend = tdb
        idmap config * : range   = 1000000-1999999

        idmap config BLUELOOP : backend = rid
        idmap config BLUELOOP : range   = 10000 - 19999
        idmap negative cache time  = 5

        local master = no

        template shell             = /bin/bash

        
        winbind enum users         = yes
        winbind enum groups        = yes
        winbind expand groups      = 2
        winbind use default domain = yes
        winbind offline logon      = yes
        winbind expand groups      = yes
        winbind refresh tickets    = yes
        winbind reconnect delay    = 5
        winbind cache time         = 10

        guest account = nobody
        map to guest  = never
        guest ok      = no

[homes]
        comment    = Home Directories
        read only  = no
        browseable = no

[shared]
        path       = /srv/shared
        comment    = Shared data
        read only  = no
        browseable = yes

Mandi! Jon Gerdes via samba
  In chel di` si favelave...
> I think that winbind is binding to an address and claiming to be the wrong
one when the VPN is running and hence
> breaking things.  I've tried "bind interfaces only" but that
does not work.
OpenVPN and Samba on the same host? If yes, probably you have to do
some sort of SNAT...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Thu, 2020-11-19 at 10:48 +0100, Marco Gaiarin via samba
wrote:
> Mandi! Jon Gerdes via samba
> ? In chel di` si favelave...
> 
> > I think that winbind is binding to an address and claiming to be the
wrong one when the VPN is running and hence
> > breaking things.? I've tried "bind interfaces only" but
that does not work.?
> 
> OpenVPN and Samba on the same host? If yes, probably you have to do
> some sort of SNAT...
> 
Thanks for the responses,

I've just re-read man smb.conf and bind interfaces only mentions smbd and
nmbd.  Perhaps winbind ignores it.  I am now
guessing but it looks like winbind happily chatters CLDAP over UDP which is
connectionless by definition but when it
switches to TCP for LDAP it:

* Opens a local socket which is on a "real" interface and sends that
out, the VPN sends it and becomes the source IP
* The SYN-ACK comes back (the other end doesn't care)
* An RST is sent because there is no listening socket on the tun interface

I think I have painted myself into a corner!  It looks like SNAT is needed or a
feature request/bug for winbind.  My
other option is to turn my OpenVPN connection into the opposite of the usual
split tunnel or perhaps switch to IPSEC.

Cheers
Jon