Vista connecting to Samba domain: The trust relationship between this workstation and the primary domain failed

acilug used Ask the Experts™
Hello guys,

we have about 10 Vista Enterprise Computers connecting to a Samba Domain with Kerberos.

Most of the time everything works perfectly. All the computers are inside of the domain and all the users can login with their directory profiles without a problem.

But time to time (once every two days more and less), the error message "The trust relationship between this workstation and the primary domain failed" appears. Then a few minutes or hours later they try again without changes and everything works again. The problem happens in all the computers, not just one.

Any ideas on how to solve this strange problem?

Thanks in advance,

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
President, IT4SOHO, LLC
From the behavior you're describing, you've got your Vista systems connecting to a Samba system configured as a  PDC, but through some fluke you're occasionally getting a "trust relationship" error that self-corrects.

My first stab at this would be to look at the times on the different systems... Specifically, since you're already using domain logins & roaming profiles, setup the Samba Server as an NTPD client (to a higher stratum NTP server), and then have the clients sync time with the Samba system every time they login.

A decent HOWTO for setting up your NTP Client is found at:

The line you put in the [global] section of your Samba config file (/etc/samba/smb.conf, or wherever) is:
  time server = Yes

And the command you put in your logon script for your clients is:
  net time \\servername /set /yes

The above 3 steps will:
 1) set & keep your Linux system in time-sync with the outside world
 2) setup your Linux system as a Windows Time Server
 3) force your clients to time sync to the Linux Server every time they login

To be honest, I'm not sure of anything else that would result in Vista believing the trust relationship is broken for a while, then thinking it is OK again... unless it could be a port 445 issue:
  > Many "older" Microsoft-experienced admins are aware of how Samba & NetBios uses ports 137-139, but are not so much aware of the SMB-over-TCP port 445 use. So if your firewall is allowing ports 137-139, but not port 445, you may be seeing this error on rare occasions.

Those are my first guesses.... Good Luck!


PS: Upon further thought, you might also want to verify your LAN's DNS is working!


Please do not close it yet. I have tested the solutions but it did not work out. I have some further comments to add.


We have tested the problem and we found a pattern that brakes the trust between Vista and the SMB server. Whenever we restart the computers, the trust is lost for around 2 hours, then it connects ok again. Any ideas?

Daniel McAllisterPresident, IT4SOHO, LLC

I have read in several places that Vista (much more strongly than XP) prefers NTLMv2 authentication, and will only fall back to NTLM (v1) after a lengthy timeout.

So, try this on one of your Vista clients:
 - Open your security policy manager (secpol.msc)
 - Select Local Policies -> Security Options
 - Navigate to the policy "Network Security: LAN Manager authentication level" and open it
 - Change the default policy to "Send LM & NTLM - use NTLMv2 session security if negotiated"

Then reboot your Vista system and see if it effects the change you need.

Also note that Samba has made several updates (current versions 3.0.37, 3.3.7, & just to confuse folks, the new 3.4 is now officially released) to accommodate Vista and Windows 7 as it nears release. (NOTE: Version 3.4 is a step towards merging the Samba 3 tree with the Samba 4 tree in hopes of (soon) getting a full-blooded AD server capability within Samba.

Good luck!


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial