I have 2 W2K3 forests: forestA.com and forestB.com. forestB.com has several child domains: child1.forestB.com, child2.forestB.com, etc... forestA.com has no children. There is a 2-way transitive forest trust between the forests. What I would like is to have Samba3 box in forestA.com to be able to authenticate users from child domains of forestB.com. i.e.: user from child1.forestB.com can access samba3box.forestA.com. I can successfully join samba box to forestA.com AD, but from the logs I see that winbind does not enumerate the child domains of forestB.com (because it's a forest and not NTLM trust ?). As a side note: is there any way to make winbind not to enumerate certain domains and/or certain users/groups by the means of custom LDAP filter ? We have a rather large environment and an attempt to enumerate some 50K users miserably times out.