Hi all, we are facing a strange issue about trust domain user issue. In the beginning. we are using samba-winbind integrated with Window AD(Server 2012r2 and Server 2008R2), they are working pretty well. but recently, the winbind client cloud not get the correct trust domian's user group info as well, like: id A\\user only show: uid=16077216(A\user) gid=16077216(A\domain users) groups=16077216(A\domain users) there should be more groups. and we try both version of samba. from wbinfo --online-status the samba Version 3.6.23-36.el6_8 show: domain A online and when we try login via A\\user. it will show below error message: Nov 22 15:21:27 sysops01 sshd[3027]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx user=A\user Nov 22 15:21:27 sysops01 sshd[3027]: pam_winbind(sshd:auth): getting password (0x00000210) Nov 22 15:21:27 sysops01 sshd[3027]: pam_winbind(sshd:auth): pam_get_item returned a password Nov 22 15:21:27 sysops01 sshd[3027]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out Nov 22 15:21:27 sysops01 sshd[3027]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'A\user') Nov 22 15:21:28 sysops01 sshd[3027]: Failed password for A\user from xxxxx port 34760 ssh2 Nov 22 15:24:05 sysops01 sshd[3417]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx user=A\user Nov 22 15:24:05 sysops01 sshd[3417]: pam_winbind(sshd:auth): getting password (0x00000210) Nov 22 15:24:05 sysops01 sshd[3417]: pam_winbind(sshd:auth): pam_get_item returned a password Nov 22 15:24:05 sysops01 sshd[3417]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_MAXTRIES (11), NTSTATUS: NT_STATUS_ACCOUNT_LOCKED_OUT, Error message was: Account locked out Nov 22 15:24:05 sysops01 sshd[3417]: pam_winbind(sshd:auth): internal module error (retval = PAM_MAXTRIES(11), user = 'A\user') Nov 22 15:24:07 sysops01 sshd[3417]: Failed password for A\user from xxxxx port 34770 ssh2 I am sure A\user is not locked. it's so strange. and samba Version 4.6.2 show domain A offline, but still can do id stuff. what we have changed was upgrade Server2008R2 to Server 2016. I don't know if this impact.(and we couldn't downgrade the windows so far) and below are what we have try, leave domain and rejoin. not working. clean samba cache. not working. build new server and join to the AD. not working. anyone know anythings about this problem? thank you.