[Samba] Possible alternate solution to "Trust relationship between this workstation...."

[David Whitney]

All:

On various occasions, some users have posted questions regarding the
situation in which their Vista clients are unable to log on to their Samba
PDC from their workstations, receiving the "The trust relationship between
this workstation and the primary domain has failed" message. Ordinarily, the
solution I have seen for this issue is to remove the machine from the domain
and rejoin it.

I just went through an instance of this very issue, but was able to solve it
*without* removing the machine from the domain. I cannot promise what I did
will solve the problem in every case, but here's what I did: I resynced the
PDC's and Vista client's time and the troublesome Vista client to a common
network time source. Once this was done, the "trust failed" message
disappeared and all clients were able to log in.

I cannot point chapter-and-verse to why this resolved the issue, and I'm not
nearly familiar enough with Samba internals to assert this as absolute, but
I have a rough theory. I'm speculating that a time difference between the
PDC and the Vista box ultimately led to the machine password's LCT being set
to a value that, when the next authentication cycle hit, actually made the
PDC believe the current time (time of next authentication) to be *before *the
machine account's LCT date. This seemingly impossible situation caused Samba
to fail the authentication attempt, and return the trust failed message.

My theory may be way off base, but perhaps it might spur some thought on the
issue, or at a minimum offer a hope for an alternative solution to this
problem other than the hassle of removing/rejoining the domain.

My environment: Samba 3.3.4 PDC on Slackware 13; troublesome workstation
Vista Ultimate, which is a wirelessly connected laptop.

Warm regards all,

-David