I ran into this option on a customer system, the commit entry currently best documents it's usage: commit 86612b1163d2dae8f707b6a038ad1a361c975973 Author: Andrew Tridgell <tridge@samba.org> Date: Wed Sep 17 15:37:54 2008 +1000 re-added "winbind:ignore domains" patch This option really is essential, as we discover again and again at customer sites. Due to bugs in winbind some domains are toxic. When you are installing at a site and a particular domain in a complex setup causes winbind to segfault or hang then you need a way to disable that domain and continue. In an ideal world winbind could handle arbitrarily complex ADS domains, but we are nowhere near that yet. If we ever get to that stage then we won't need this option.