pam_winbind with krb5_auth or wbinfo -K relies on winbindd (on a domain member) having a complete picture of the trust topology (which is managed by the DCs). This is just not possible for a domain member! There might be uPNSuffixes and msDS-SPNSuffixes values, which don't belong to any AD domain at all. With "winbind scan trusted domains = no" we don't even get an incomplete picture of the topology. Instead we should just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM) and use enterprise principals e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM and follow the WRONG_REALM referrals in order to find the correct DC. The final principal might be userfromB@INTERNALB.EXAMPLE.PRIVATE.
Created attachment 15489 [details] Patches for v4-11-test
Created attachment 15490 [details] Patches for v4-10-test
Comment on attachment 15489 [details] Patches for v4-11-test LGTM
Comment on attachment 15490 [details] Patches for v4-10-test LGTM
Karolin, please add to v4-10 and v4-11, Thanks!
(In reply to Guenther Deschner from comment #5) Pushed to both branches. Closing out bug report. Thanks!
Pushed to autobuild.