We have a primary domain ZADARA2, and trusted domain CHILD in the ignore list:
allow trusted domains = true
guest ok = No
security = ADS
realm = zadara2.lab
workgroup = ZADARA2
idmap config zadara2 : backend = rid
idmap config zadara2 : range = 5000000-15000000
idmap config * : backend = tdb
idmap config * : range = 1000001-2000000
winbind offline logon = yes
winbind scan trusted domains = Yes
winbind use default domain = No
winbind:ignore domains = CHILD TREE ZADARA3
As expected wbinfo -m returns only primary domain:
# wbinfo -m
However user dimachild@CHILD now may successfully login:
C:\Users\dimachild>net use \\10.2.4.28\smb1
The command completed successfully.
Back in samba 4.5 it worked fine, i.e. login failed. I guess this was broken in samba 4.8 where "The dependency to global list of trusted domains within the winbindd processes has been reduced a lot.". If this is now "by design", probably need at least fix documentation that says "Allows one to enter a list of trusted domains winbind should ignore (untrust)."
Created attachment 16400 [details]
Patch for 4.13 and 4.14 cherry-picked from master
Created attachment 16401 [details]
Patch for 4.12 backported from master
The first patch that modifies selftest infrastructure didn't apply due to heavy changes in selftest provision between 4.12 and 4.13.
I opted to simply remove the tests from the patches to avoid backporting the DNS domainname changes.