UPDATE:
After following Mr McShane's advice and making the following change to "/etc/samba/smb.conf":
winbind offline logon = yes
I haven't had a single VPN connection drop, nor have I had to bump the SMB Cache to restore service.
I'm recommending his solution, and will mark this as resolved in 2 more weeks if all holds fast.
Michael Tate

Bump.

Before replying to this thread, I tried setting a "tab refresh" in Firefox to refresh the accounts page in the WebGUI, but that also failed

So I modified the cron job to clear cache first:
*/5 * * * * /usr/sbin/nscd -i passwd && /usr/bin/getent passwd && /usr/sbin/nscd -i group && /usr/bin/getent group
But that didn't help; my users still got kicked off. I even ran it manually when we got disconnected, but that didn't allow us to authenticate.

It wasn't until I logged into the WebGUI and forced a cache refresh that users were allowed to authenticate.


MICHAEL TATE
YouDecide | IT

I'm afraid that didn't resolve the issue. Even running it manually generates output from AD, but doesn't permit OpenVPN authentication from AD.

I have found that I have to refresh the cache on the WebGUI lets the AD Connector resume authentication.Could the nscd be involved in my issue?

MICHAEL TATE
YouDecide | IT

OpenVPN dropping connections

Lately our OpenVPN connections are dropping, and when the users go to reconnect they can't get past the login prompt.
We have the Active Directory Connector installed and connected to the main DC.

To resolve the issue, I have to open "System > Accounts > Users" and "System > Accounts > Groups" and wait for the list to populate, then Stop and Restart OpenVPN. Then the users can authenticate.

Has anyone else had this issue?

MICHAEL TATE
YouDecide | IT


====== Software Version ======
2.2.0-1


====== Message Logs ======
=== User logs in ===
Mar 2 07:17:44 VPNSERVER openvpn[1183]: 66.138.xxx.92:63xx4 TLS: Username/Password authentication succeeded for username 'REMOTEUSER'

=== Begin error (nothing in log for prior 45 minutes) ==
Mar 2 08:00:47 VPNSERVER openvpn[1183]: REMOTEUSER/66.138.xxx.92:63xx4 TLS: soft reset sec=1017 bytes=69159716/67108864 pkts=106513/0
Mar 2 08:00:47 VPNSERVER openvpn[1183]: REMOTEUSER/66.138.xxx.92:63xx4 VERIFY OK: depth=1, C=US, L=Duluth, O=ClearOS, OU=DUL, CN=ca.xxxx.youdecide.com, emailAddress=xxxxxx@xxxx.youdecide.com, O=YouDecide, ST=GA
Mar 2 08:00:47 VPNSERVER openvpn[1183]: REMOTEUSER/66.138.xxx.92:63xx4 VERIFY OK: depth=0, C=US, ST=GA, L=Duluth, O=ClearOS, O=YouDecide, OU=DUL, CN=REMOTEUSER, emailAddress=REMOTEUSER@youdecide.com
Mar 2 08:00:49 VPNSERVER openvpn[1183]: REMOTEUSER/66.138.xxx.92:63xx4 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mar 2 08:00:49 VPNSERVER openvpn[1183]: REMOTEUSER/66.138.xxx.92:63xx4 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
Mar 2 08:00:49 VPNSERVER openvpn[1183]: REMOTEUSER/66.138.xxx.92:63xx4 TLS Auth Error: Auth Username/Password verification failed for peer
Mar 2 08:00:49 VPNSERVER openvpn[1183]: REMOTEUSER/66.138.xxx.92:63xx4 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mar 2 08:01:47 VPNSERVER openvpn[1183]: REMOTEUSER/66.138.xxx.92:63xx4 TLS Error: local/remote TLS keys are out of sync: [AF_INET]66.138.xxx.92:63xx4 (via [AF_INET]172.xxx.xxx.250%enp5s0) [1]

=== Clicking on Users & Groups to ennumerate the lists===
Mar 2 08:06:59 VPNSERVER systemd: Starting Cleanup of Temporary Directories...
Mar 2 08:06:59 VPNSERVER systemd: Started Cleanup of Temporary Directories.
Mar 2 08:07:06 VPNSERVER clearsyncd[707]: System Events: Socket hang-up: 29
Mar 2 08:07:06 VPNSERVER clearsyncd[707]: System Events: Socket hang-up: 29
Mar 2 08:07:08 VPNSERVER webconfig: Redirecting to /bin/systemctl stop winbind.service
Mar 2 08:07:08 VPNSERVER systemd: Stopping Samba Winbind Daemon...
Mar 2 08:07:08 VPNSERVER systemd: Stopped Samba Winbind Daemon.
Mar 2 08:07:08 VPNSERVER webconfig: Redirecting to /bin/systemctl start winbind.service
Mar 2 08:07:08 VPNSERVER systemd: Cannot add dependency job for unit microcode.service, ignoring: Unit is not loaded properly: Invalid argument.
Mar 2 08:07:08 VPNSERVER systemd: Starting Samba Winbind Daemon...
Mar 2 08:07:08 VPNSERVER systemd: winbind.service: Supervising process 21616 which is not our child. We'll most likely not notice when it exits.
Mar 2 08:07:08 VPNSERVER systemd: Started Samba Winbind Daemon.

=== Restrarting OpenVPN ===
Mar 2 08:07:40 VPNSERVER systemd: Stopping OpenVPN Robust And Highly Flexible Tunneling Application On clients/tcp...
Mar 2 08:07:40 VPNSERVER systemd: Stopped OpenVPN Robust And Highly Flexible Tunneling Application On clients.
Mar 2 08:07:44 VPNSERVER systemd: Starting OpenVPN Robust And Highly Flexible Tunneling Application On clients/tcp...

=== User logs back in ===
Mar 2 08:07:46 VPNSERVER openvpn[22173]: 66.138.xxx.92:63xx8 TLS: Username/Password authentication succeeded for username 'REMOTEUSER'