Currently winbindd tries to contact trusted domains also via SAMR or LDAP. It was a big mistake to do this on a domain member, but users seem to rely on some of this features. We should not make the same mistake again and make sure winbindd only uses netlogon and lsa lookup sid/names using netlogon secure channel protection over an anonymous dcerpc transport (ncacn_ip_tcp or ncacn_np as anonymous).
Created attachment 14004 [details] Patch for 4.8 cherry-picked from master
Pushed to autobuild-v4-8-test.
Pushed to v4-8-test. Closing out bug report. Thanks!