Samba winbind.service needs restart after reboot

English Network/Internet
1

Hi all,

we use Leap 16 Clients that are members of a Windows AD domain. Samba-winbind is used to join the domain. Kerberos is used for authentication. Only domain users are used to log in.

After the upgrade from Leap 15.6 to Leap 16.0 on some clients (happens on some clients with identical and different hardware) domain users can not login after a reboot.

worklin16:~ # journalctl -u winbind -b
Mai 06 13:57:08 localhost.localdomain systemd[1]: Starting Samba Winbind Daemon...
Mai 06 13:57:09 localhost.localdomain systemd[1]: Started Samba Winbind Daemon.
Mai 06 13:57:12 worklin16 winbindd[2910]: [2026/05/06 13:57:12.374608,  0, traceid=1] ../../source3/librpc/crypto/gse.c:1047(gensec_gse_client_prepare_ccache)
Mai 06 13:57:12 worklin16 winbindd[2910]:   gensec_gse_client_prepare_ccache: Kinit for LOCALHOST$@***domain*** to access cifs/dc6.***domain*** failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILURE

A manual restart of winbind.service is necessary to allow a domain user to log in. I thought the network is not online when winbind start. Therefore, I added a dependency to the service.

worklin16:~ # systemctl cat winbind
# /usr/lib/systemd/system/winbind.service
[Unit]
Description=Samba Winbind Daemon
Documentation=man:winbindd(8) man:samba(7) man:smb.conf(5)
After=network.target nmb.service
Before=nss-user-lookup.target
Wants=nss-user-lookup.target

[Service]
Type=notify
PIDFile=/run/samba/winbindd.pid
EnvironmentFile=-/etc/sysconfig/samba
Environment=KRB5CCNAME=/run/samba/krb5cc_samba
Environment=KRB5RCACHEDIR=/var/cache/krb5rcache
ExecStart=/usr/sbin/winbindd --foreground --no-process-group $WINBINDOPTIONS
ExecReload=/bin/kill -HUP $MAINPID
LimitCORE=infinity


[Install]
WantedBy=multi-user.target

# /etc/systemd/system/winbind.service.d/override.conf
[Unit]
Wants=network-online.target
After=network-online.target

[Service]
ExecStartPre=/usr/bin/sleep 1

But this does not always help. Sometimes a manuel restart is still required.

Does anyone have an idea, what could be the problem here? It is weird that it only happens sometimes and on some clients. Could NetworkManager be the problem? It is the default network manager since Leap 16.0.

Thanks a lot.

Best regards,
Gregor