Trying to authenticate a user from a child-domain SUBDOM11 of a trusted AD forest fails, because when trying to connect to the DC of root-domain of the trusted forrest in order to enumerate (in-forest) trusts, we fail to establish a netlogon connection: [2017/11/26 19:20:40.391079, 1, pid=24889] ../source3/winbindd/winbindd_cm.c:3252(cm_connect_netlogon_transport) rpccli_create_netlogon_creds failed for WDOM1, unable to create NETLOGON credentials: NT_STATUS_INVALID_PARAMETER Because of this the user's domain SUBDOM11 is not in the winbind TDC cache: $ bin/wbinfo -m --verbose Domain Name DNS Domain Trust Type Transitive In Out BUILTIN None Yes Yes Yes TITAN None Yes Yes Yes WDOM2 wdom2.site None Yes Yes Yes WDOM1 wdom1.site Forest Yes Yes Yes It should look like this: $ bin/wbinfo -m --verbose Domain Name DNS Domain Trust Type Transitive In Out BUILTIN None Yes Yes Yes TITAN None Yes Yes Yes WDOM2 wdom2.site None Yes Yes Yes WDOM1 wdom1.site Forest Yes Yes Yes SUBDOM11 subdom11.wdom1.site Forest Yes Yes Yes TREER11 treer11.site Forest Yes Yes Yes Have WIP patch, need bugnumber. This is a regression introduced by d7e31d9f4d9ce7395e458ac341dd83ac06255a20 "winbindd: Use rpccli_connect_netlogon".
Fwiw, this message is also logged in the log of the domain-child process of the trusted forest: [2017/11/29 10:14:52.723321, 1, pid=19630] ../source3/winbindd/winbindd_util.c:393(trustdom_list_done) trustdom_list_done: Could not receive trusts for domain WDOM1
Created attachment 13822 [details] Patch that went into master
Fixed in master by 96b44e9da57~2..96b44e9da57.