samba - Feb 2018 - "The workstation does not have a trust secret." issue

Hi all,

Can somebody give insights on this issue with the one-way interdomain trust.

It seems the trust working as I can get the users of the trusted domain
(SANDBOX) from the trusting domain (LUMAD)

Current Configurations:
Windows 2016 Standard (SANDBOX) - Active Directory functional level
(Windows Server 2008 R2)

Samba 4.7.5 (LUMAD)
samba-tool domain level show
Domain and forest function level for domain 'DC=lumad,DC=sandbox,DC=net'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

To create the trust based on samba-tool..
samba-tool domain trust create sandbox --type=external --direction=outgoing
--local-dc-username=administrator --local-dc-machine-pass
--local-dc-password="Lumad at 01" -P --password="Sandbox at
01" -U
sandbox\\administrator -d2
which I can see it on SANDBOX/LUMAD the trust is created via RSAT.

Sample Outputs:

using getent password
LUMAD\joindomain:*:100667:513::/home/LUMAD/joindomain:/bin/false
LUMAD\mdummy:*:100002:513::/home/LUMAD/mdummy:/bin/false
LUMAD\tdummy:*:100003:513::/home/LUMAD/tdummy:/bin/false
....
SANDBOX\administrator:*:3000036:3000037::/home/SANDBOX/administrator:/bin/false
SANDBOX\guest:*:3000043:3000037::/home/SANDBOX/guest:/bin/false
SANDBOX\defaultaccount:*:3000044:3000037::/home/SANDBOX/defaultaccount:/bin/false
SANDBOX\krbtgt:*:3000045:3000037::/home/SANDBOX/krbtgt:/bin/false
SANDBOX\wintahder:*:3000046:3000037::/home/SANDBOX/wintahder:/bin/false
SANDBOX\joindomain:*:3000066:3000037::/home/SANDBOX/joindomain:/bin/false


using wbinfo -u but no SANBOX users displayed.
LUMAD\joindomain
LUMAD\mdummy
LUMAD\tdummy


Based on my observation the idmap range of SANDBOX is different from the
Windows Server even changed the range in smb.conf (1000-6999999), but on
LUMAD is the same both in Windows 7/10 and Linux. How do i reset it?

[global]
netbios name = LUMAD-DC
realm = LUMAD.SANDBOX.NET
server role = active directory domain controller
workgroup = LUMAD
idmap_ldb:use rfc2307 = yes

server min protocol = SMB2
client min protocol = SMB2
allow trusted domains = yes
winbind enum users = yes
winbind enum groups = yes
idmap config SANDBOX:range = 1000-6999999
[netlogon]
path = /var/lib/samba/sysvol/lumad.sandbox.net/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No


In the LUMAD server which acts also as client...
LUMAD\joindomain:*:*100667*:513::/home/LUMAD/joindomain:/bin/false
SANDBOX\wintahder:*:*3000046*:3000037::/home/SANDBOX/wintahder:/bin/false


In windows 7/10 using wmic
wmic useraccount where name="joindomain" get sid
S-1-5-21-8344915824-3547539418-1710631069-*100667*

In Windows 2016 (SANDBOX) as could not login to workstation as per this
issue.
wmic useraccount get name,sid
Name SID
Administrator S-1-5-21-1899266439-2798345862-22873092-500
Guest S-1-5-21-1899266439-2798345862-22873092-501
krbtgt S-1-5-21-1899266439-2798345862-22873092-502
DefaultAccount S-1-5-21-1899266439-2798345862-22873092-503
wintahder S-1-5-21-1899266439-2798345862-22873092-*1107*
joindomain S-1-5-21-1899266439-2798345862-22873092-*1630*


I don't know if those are related.

Some logs and outputs.
In my krb5.conf, I add the SANDBOX realm.
 wbinfo  --ping-dc --domain=sandbox.net
checking the NETLOGON for domain[sandbox.net] dc connection to "
SANDBOXPC.sandbox.net" succeeded

samba-tool domain trust list
Type[External] Transitive[No]  Direction[OUTGOING] Name[sandbox.net]

wbinfo --check-secret --domain=sandbox.net
checking the trust secret for domain sandbox.net via RPC calls succeeded

wbinfo -t
checking the trust secret for domain LUMAD via RPC calls succeeded

on the log.wb-LUMAD (if SANDBOX user login)
[2018/02/22 12:33:00.236539,  0]
../source3/winbindd/winbindd_dual.c:107(child_write_response)
  Could not write result


Thanks.