...or, more to the point, when I fall *off* the VPN. If I suspend my laptop and resume, for example, it'll fall off the VPN and then ask me for my password to unlock the screen.
And then it'll take about four minutes to authenticate me using winbind. That seems to be the amount of time it takes to realise that it's fallen off the corporate network.
I think at the very least we need a timeout for individual authentication requests. If we have cached credentials and an online request takes more than 20 seconds, then we should abort the online request (or continue it in the background) and use the cached credentials to authenticate the user.
Implementation detail: Obviously we do still want the Kerberos tickets to be obtained for the user when this happens. We'll need to think about what triggers that -- currently I think it's a "joined domain" event which triggers the fetching of TGTs for users who have logged in offline, and we need to ensure that it still happens if we never fell *off* the domain but it was just being slow.
Instead of a timeout, I've also pondered the possibility of *always* doing offline authentication in the PAM auth call, and doing the rest of it from the PAM open_session or setcred calls.