In bug #14130 (d78c87e665e2O) we changed rescan_forest_trusts() to ignore new irrelevant lsa attributes (such as tgt-delegation), but by that we also stopped filtering out trusts with the CROSS_ORGANIZATION attribute, which can cause authentication failure causing winbind to retry intensively. See also: https://bugzilla.redhat.com/show_bug.cgi?id=1859426
wip patch at: https://gitlab.com/samba-team/samba/-/merge_requests/1476
Leaving as is, see reasoning in the MR above.