winbind use krb5 enterprise principals

winbindd is able to get kerberos tickets for pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
winbindd (at least on a domain member) is never be able to have a complete picture of the trust topology (which is managed by the DCs). There might be uPNSuffixes and msDS-SPNSuffixes values, which don't belong to any AD domain at all.
With no winbindd don't even get an incomplete picture of the topology.
It is not really required to know about the trust topology. We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM) and use enterprise principals e.g. [email protected]@PRIMARY.A.EXAMPLE.COM and follow the WRONG_REALM referrals in order to find the correct DC. The final principal might be [email protected].
With yes winbindd enterprise principals will be used.

Example: yes

Supported on: At least Microsoft Windows 7 or Windows Server 2008 family

winbind use krb5 enterprise principals
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSoftware\Policies\Samba\smb_conf\winbind use krb5 enterprise principals
Value Namewinbind use krb5 enterprise principals
Value TypeREG_DWORD
Default Value0
True Value1
False Value0

samba.admx

Administrative Templates (Computers)