Problem description:
With a samba 3.0.20 additional server in a Samba domain, when an invalid user
connects to the additional server, the communications between the Samba domain
controller and the additional server "get out of whack" and no new connections
are then allowed on the samba additional server.

To reproduce:
Setup a samba domain. Samba DC should be any recent release. Setup an
additional server w/ 3.0.20rc1 or latest from svn

Connect to the additional server from windows w/ an invalid userid.

C:\temp>net use \\as1lnx1\ipc$ /user:junk
System error 1311 has occurred.

There are currently no logon servers available to service the logon request.

-- Then ALL attempts are rejected:
C:\temp>net use k:  \\as1lnx1\bmarsh
System error 1311 has occurred.

There are currently no logon servers available to service the logon request.

You will see things like this in the log.wb-DOMAIN logs

[2005/08/03 08:54:07, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(795)
635816800:  NTLM CRAP authentication for user [DOMAIN]\[wit6] returned
NT_STATUS_NO_SUCH_USER (PAM: 10)

JMCD states - Basically, the credentials chain involves each side computing the
next credential from the previous one, and what happens is that a samba DC (yes,
it's your DC that is broken, 3.0.20 is simply what made it show up) assumes that
it should go to the next step, but that's not correct in certain cases (like
NO_SUCH_USER).  The winbindd client correctly assumes that it will pickup where
it left off, which works against windows.  

I'm assuming that winbind just used to close connections more often.  Also, the
existence of the user was checked first, so a samlogon wasn't done in this
case...we already knew from the normal nsswitch call that the user didn't exist.