We have a primary domain ZADARA2, and trusted domain CHILD in the ignore list: [global] allow trusted domains = true guest ok = No security = ADS realm = zadara2.lab workgroup = ZADARA2 idmap config zadara2 : backend = rid idmap config zadara2 : range = 5000000-15000000 idmap config * : backend = tdb idmap config * : range = 1000001-2000000 winbind offline logon = yes winbind scan trusted domains = Yes winbind use default domain = No winbind:ignore domains = CHILD TREE ZADARA3 As expected wbinfo -m returns only primary domain: # wbinfo -m BUILTIN VSA-00000004 ZADARA2 However user dimachild@CHILD now may successfully login: C:\Users\dimachild>net use \\10.2.4.28\smb1 The command completed successfully. Back in samba 4.5 it worked fine, i.e. login failed. I guess this was broken in samba 4.8 where "The dependency to global list of trusted domains within the winbindd processes has been reduced a lot.". If this is now "by design", probably need at least fix documentation that says "Allows one to enter a list of trusted domains winbind should ignore (untrust)."
Created attachment 16400 [details] Patch for 4.13 and 4.14 cherry-picked from master
Created attachment 16401 [details] Patch for 4.12 backported from master The first patch that modifies selftest infrastructure didn't apply due to heavy changes in selftest provision between 4.12 and 4.13. I opted to simply remove the tests from the patches to avoid backporting the DNS domainname changes.