Hi list, This is my domain enviroment and all DC are windows 2008r2 http://i.imgur.com/8cNOtm2.jpeg When I used samba-4.0.5, I join my box to domain "HC1" , I got trusted domain "CHILD2" in "wbinfo -m". [/share/Public] # wbinfo -m BUILTIN MYBOX HC1 CHILD1 TREEROOT HC2 CHILD2 Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m". [/share/Public] # wbinfo -m BUILTIN MYBOX HC1 CHILD1 TREEROOT HC2 In log.wb-HC2 , I found following message: [2016/07/26 12:02:03.981949, 5, pid=15758, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains) trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON (NT_STATUS_CANT_ACCESS_DOMAIN_INFO) [2016/07/26 12:02:03.981962, 3, pid=15758, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL [2016/07/26 12:02:03.981971, 4, pid=15758, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler) I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4: samba-4.0.5: http://i.imgur.com/ytr7oMt.jpeg samba-4.4.4: http://i.imgur.com/f5bYOeo.jpeg samba-4.4.4 did not send "create netlogon" , "netlogon binding" and DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo -m". I tried to use patch in https://bugzilla.samba.org/show_bug.cgi?id=11830 After using this patch, samba-4.4.4 can send "create netlogon" and "netlogon binding" but failed in NetrServerAuthenticate3. http://i.imgur.com/vI6eB5R.jpeg And I got these message in log.wb-HC2: 2016/07/27 16:25:50.602158, 1, pid=18689, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport) rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT [2016/07/27 16:25:50.602169, 5, pid=18689, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains) trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON (NT_STATUS_NO_TRUST_SAM_ACCOUNT) [2016/07/27 16:25:50.602182, 3, pid=18689, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains) ads: trusted_domains [/usr/local/samba/var] # cat /etc/config/smb.conf [global] client schannel = false server schannel = false client ipc signing = false client signing = false server signing = false winbind sealed pipes = false require strong key = false passdb backend = smbpasswd workgroup = HC1 security = ADS server string encrypt passwords = Yes username level = 0 map to guest = Bad User null passwords = yes max log size = 102400 socket options = TCP_NODELAY SO_KEEPALIVE os level = 20 preferred master = no dns proxy = No smb passwd file=/etc/config/smbpasswd username map = /etc/config/smbusers guest account = guest directory mask = 0777 create mask = 0777 oplocks = yes locking = yes disable spoolss = no load printers=yes veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/ delete veto files = yes map archive = no map system = no map hidden = no map read only = no deadtime = 10 server role = auto use sendfile = yes unix extensions = no store dos attributes = yes client ntlmv2 auth = yes dos filetime resolution = no wide links = yes force unknown acl user = yes template homedir = /share/homes/DOMAIN=%D/%U inherit acls = no domain logons = no min receivefile size = 256 case sensitive = auto domain master = auto local master = no enhance acl v1 = yes remove everyone = no conn log = no kernel oplocks = no max protocol = SMB2_02 lock directory = /share/CACHEDEV1_DATA/.samba/lock state directory = /share/CACHEDEV1_DATA/.samba/state cache directory = /share/CACHEDEV1_DATA/.samba/cache printcap cache time = 0 acl allow execute always = yes vfs objects = shadow_copy2 aio_pthread aio read size = 1 aio write size = 0 pid directory = /var/lock printcap name=/etc/printcap printing=cups show add printer wizard=no realm = hc1.com ldap timeout = 5 password server = HOST223.hc1.com pam password change = yes winbind enum users = yes winbind enum groups = yes winbind cache time = 1 idmap config * : backend = tdb idmap config * : range = 400001-500000 idmap config HC1 : backend = rid idmap config HC1 : range = 10000001-20000000 idmap config CHILD1 : backend = rid idmap config CHILD1 : range = 30000001-40000000 idmap config TREEROOT : backend = rid idmap config TREEROOT : range = 40000001-50000000 idmap config HC2 : backend = rid idmap config HC2 : range = 50000001-60000000 idmap config CHILD2 : backend = rid idmap config CHILD2 : range = 60000001-70000000 I also tried to use samba-4.2.x and added "require strong key = no" "winbind sealed pipes = false" in smb.conf. These options worked, "wbinfo -m" could get child2 domain. Next, I tried to use samba-4.3.x and samba-4.4.x , but "require strong key = no" and "winbind sealed pipes = false" did not help to list child domain under hc2.com. I traced code and found some netlogon functions only use schannel in samba-4.3.x and samba-4.4.x. I modified code (source3/winbindd_cm.c), let cm_connect_netlogon_transport can use no_schannel just like samba-4.2.x. Now "wbinfo -m" can list child2 domain under hc2.com in samba-4.4.x but I am not sure if no_schannel path conforms with current SMB, samba or active domain spec. Finally, I tried to use windows 2008r2 as my client and joined to domain. It was a pure windows enviroment. Run "netdom query /d:hc.com TRUST" in cmd line, I also could not get child2 domain under hc2.com. http://i.imgur.com/CtKE9Qb.jpeg When I created a shared folder, I still could not choose child2 domain under hc2.com... http://i.imgur.com/K5pJaHE.jpeg But I could input child2 domain account directly and it worked, it is so weird... why??? http://i.imgur.com/CBx906S.jpeg My questions now are: 1. why dose not current samba use no_schannl path ? 2. No matrer "netdom query /d:hc.com TRUST" in windows client or "wbinfo -m" in samba-4.4.x , why can't I get child2 domain in trust domain list ?