When winbindd (as NT4 PDC/BDC) tries to connect trusted domains via SMB, but it's not possible to use the trust account for SMB connections. So we try to use the local machine account. But NT4 PDC/BDC are not self joined, so we don't have a local machine account. Winbindd falls back to anonymous credentials, but then fails internally because we require signing, which is not possible with anonymous credentials. I think the fix should be using only anonymous SMB connections and require schannel authentication, which means SAMR is not possible anymore.