Problem: Resolving Windows Client Trust Relationship Issues with Samba AD-DC

Knowledge Base Community
, , ,
1

Resolving Windows Client Trust Relationship Issues with Samba AD

Problem:

When attempting to log in to a Windows client that is joined to a Samba Active Directory (AD) domain, you may encounter the following error message:

“The security database on the server does not have a computer account for this workstation trust relationship.”

This indicates that the trust relationship between the affected Windows client and the samba domain is broken.

Solutions:

There are two recommended approaches to resolve this issue: repairing the trust relationship or rejoining the domain.

Option 1: Repair the Trust Relationship via PowerShell

  1. Log in to the affected Windows client with a local administrator account.

  2. Open PowerShell with administrative privileges.

  3. Test the trust relationship by running:

    Test-ComputerSecureChannel -Verbose
    • Output True → The trust relationship is intact.
    • Output False → The trust relationship is broken.

  4. If the trust is broken, repair it using:

    Test-ComputerSecureChannel -Repair -Credential (Get-Credential)

    Or specify the domain controller explicitly:

    Test-ComputerSecureChannel -Repair -Server master.example-school.loc -Credential Administrator

    You will be prompted for domain administrator credentials. The system will attempt to synchronize the computer account with the domain controller.

Advantages:

  • No need to leave and rejoin the domain.
  • Existing user profiles remain intact.

Disadvantages:

  • May not work if the computer account in the Samba DB is severely corrupted.

Option 2: Rejoin the Domain

If the repair fails, rejoining the domain is necessary:

  1. Log in with a local administrator account.

  2. Remove the computer from the domain:

    • Right-click This PCPropertiesAdvanced system settingsComputer Name.
    • Click Change….
    • Select Workgroup and enter, for example, WORKGROUP.
    • Restart the computer.

  3. Rejoin the computer to the domain example-school.loc.

  4. Provide domain administrator credentials when prompted.

  5. Restart the computer to apply changes.

Reference: Windows domain joins

Note: Always ensure that domain controllers are reachable and that network connectivity is stable before performing these steps.

See also: