On Thu, 2020-11-19 at 10:48 +0100, Marco Gaiarin via samba wrote:> Mandi! Jon Gerdes via samba > ? In chel di` si favelave... > > > I think that winbind is binding to an address and claiming to be the wrong one when the VPN is running and hence > > breaking things.? I've tried "bind interfaces only" but that does not work.? > > OpenVPN and Samba on the same host? If yes, probably you have to do > some sort of SNAT... >Thanks for the responses, I've just re-read man smb.conf and bind interfaces only mentions smbd and nmbd. Perhaps winbind ignores it. I am now guessing but it looks like winbind happily chatters CLDAP over UDP which is connectionless by definition but when it switches to TCP for LDAP it: * Opens a local socket which is on a "real" interface and sends that out, the VPN sends it and becomes the source IP * The SYN-ACK comes back (the other end doesn't care) * An RST is sent because there is no listening socket on the tun interface I think I have painted myself into a corner! It looks like SNAT is needed or a feature request/bug for winbind. My other option is to turn my OpenVPN connection into the opposite of the usual split tunnel or perhaps switch to IPSEC. Cheers Jon
Mandi! Jon Gerdes via samba In chel di` si favelave...> I think I have painted myself into a corner! It looks like SNAT is needed or a feature request/bug for winbind. MyAFAIK it is not a bug of winbind, but a feature of linux, that reply ever with the 'nearest ip', not the 'calling/called' one... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Thu, 2020-11-19 at 15:56 +0100, Marco Gaiarin via samba wrote:> Mandi! Jon Gerdes via samba > ? In chel di` si favelave... > > > I think I have painted myself into a corner!? It looks like SNAT is needed or a feature request/bug for winbind.? My > > AFAIK it is not a bug of winbind, but a feature of linux, that reply > ever with the 'nearest ip', not the 'calling/called' one...Again, thanks a lot for the responses. This has been causing me problems for months now. Within a day of some sensible answers I hit on the solution. I had, of course, not given you all the details. One of our office DCs lives at home with me. On another VLAN from my laptop. There's a site to site VPN for both IPv4 and 6. I have quite an involved home IT setup 8) When I start up my laptop, winbind queries the domain and connects to the local DC as it should and all is fine. I login. I then decide to connect my local laptop VPN so that I can "be" in the office and hence use the office VPNs etc to connect to customer sites. At this point, winbind tries to talk to my home DC but the VPN sends the TCP traffic up the link. UDP works OK because it is connectionless. When winbind uses CLDAP it still picks my local DC because it sees the address as more local, which is fair enough. I fixed it by putting a static route for my entire network via my local gateway. That overrides the VPN routing by being more specific. My home VLANs IPv4 are all /24 and aggregate to a single /16. I could have fixed it with a /32 for the DC but although everything else seems to work there will be other things that work like winbind that I'm not aware about. I'm putting this one down as a win for the list, even though I fixed it myself. I needed some sensible counter arguments and discussion to jog the grey cells. I feel a bit daft now that I didn't sort this out months ago. Thanks again.