idmap_ad creates an incorrect local krb5.conf in case of trusted domain lookups. In case we have idmap_ad and trusted domain and connect to a trusted domain we create a krb5.conf for our realm but with the IP of the trusted domain KDC. Thus we try to get a krbtgt from the trusted domain for our machine account and fail. The trusted domain KDC doesn't know about our machine account. We need to look up the KDC IP in this case instead of providing one. Patch will follow.
This bug was referenced in samba master: 28aa0b815baf4668e3df01d52597c40fd430e2fb 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2 8989aa47b7493e6b7978c2efc4a40c781e9a2aee
Created attachment 18326 [details] patch for 4.20
Jule, could you please apply the patch to 4.20? Thanks a lot!
This bug was referenced in samba v4-20-test: 069729202c3b287642e36c777e2b0863f593bca4 fb4c338f03034ef47231e1fb7ec1056ac5d3aa4f 65e781a30b247ab1056405322a8c9cbfb4bae03a
Closing out bug report. Thanks!
This bug was referenced in samba v4-20-stable (Release samba-4.20.2): 069729202c3b287642e36c777e2b0863f593bca4 fb4c338f03034ef47231e1fb7ec1056ac5d3aa4f 65e781a30b247ab1056405322a8c9cbfb4bae03a