Currently winbindd tries to contact trusted domains also via
SAMR or LDAP.
It was a big mistake to do this on a domain member, but users
seem to rely on some of this features.
We should not make the same mistake again and make sure
winbindd only uses netlogon and lsa lookup sid/names
using netlogon secure channel protection over an anonymous
dcerpc transport (ncacn_ip_tcp or ncacn_np as anonymous).
Created attachment 14004 [details]
Patch for 4.8 cherry-picked from master
Pushed to autobuild-v4-8-test.
Pushed to v4-8-test.
Closing out bug report.