Debian Stretch: Samba Winbind Offline Logon Not working - kerberos keytab not persistent after reboot?

This is being tried onDebian stretch referred to as 9.6 in /etc/debian_version I'm in a Windows Domain environment with two 2012R2 controllers that have IDMU/Unix Attributes. Other versions of stuff: Samba version 4.5.12-Debian winbindd version 4.5.12-Debian Also installed: krb5-user libnss-winbind libpam-winbind oddjob-mkhomedir I'm hoping I can log in with domain users at default console user credential prompt. I've been trying ALL SORTS of stuff, but can't seem to get it to work. I think my issue is that kerberos keytabs aren't persistent after reboot? I followed this guide on the official Wiki: https://wiki.samba.org/index.php/PAM_Offline_Authentication I tried it with the default setting of /tmp/krb5cc but no luck - thought process is that this location is not persistent after reboot? So then I thought maybe I could get the keytab to save in another location besides /tmp so I set KRB5CACHE environment variable to a folder that's persistent - and I can get kinit to save there But I can't get the /etc/security/pam_winbind.conf user keytab info to save in a different folder Even if I change krb5_ccache_type = FILE:/my/persistent/location/krb5cc but it still always saves it as /tmp/krb5cc when I invoke: # wbinfo -K DOMAIN\\username%password I CAN get the response of: plaintext kerberos password authentication for [WEBTOOL\avery%Person01] succeeded (requesting cctype: FILE) user_flgs: NETLOGON_CACHED_ACCOUNT credentials were put in: FILE:/tmp/krb5cc_0 but when I reboot it doesn't matter -- and ONLY if I invoke smbcontrol winbind offline - /etc/samba/smb.conf param winbind offline logon = yes does not seem to work, even though it's set. (and yes, I have reset samba and winbind using /etc/init.d and systemctl after editing .conf files, not to mention rebooting over and over again to try the offline winbind login) I even tried giving my domain user a UNIX passwd. Not even that worked. So what's up ? Anybody have login for domain users after reboot?