The immediate consequence of this is that trusted domain list remains empty indefinitely, causing login failures for all users of those domains. There is an obvious bug in the code that causes it (although I'm not sure what the solution should be): In winbind_cache.c, function trusted_domains(), under do_query label there is a call to trusted_domains() method of the domain's backend. If this backend is ADS, trusted_domains() in winbindd_ads.c gets called. It calls cm_connect_netlogon() and if it fails, returns NT_STATUS_UNSUCCESSFUL. Now back in winbind_cache.c, this status is _not_ among the statuses that cause set_domain_offline() to get called, therefore the domain stays marked as online and timer is not set to retry. The problem seems to be the same as described in bug #3798, from 2006(!).
Have you created a patch to test your theory?
(In reply to comment #1) > Have you created a patch to test your theory? As have mentioned, I am not sure what the solution should be. I have added NT_STATUS_UNSUCCESSFUL to the list of the statuses that are checked against in trusted_domains() [winbind_cache.c], and yes, I saw the domain marked again as online after 10 seconds and trusted domain list now gets populated. But that would be too broad a catch, wouldn't it?