winbindd is able to get kerberos tickets for pam_winbind with krb5_auth or wbinfo -K/--krb5auth=.
winbindd (at least on a domain member) is never be able to have a complete picture of the trust topology (which is managed by the DCs). There might be uPNSuffixes and msDS-SPNSuffixes values, which don't belong to any AD domain at all.
With no winbindd don't even get an incomplete picture of the topology.
It is not really required to know about the trust topology. We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM) and use enterprise principals e.g. [email protected]@PRIMARY.A.EXAMPLE.COM and follow the WRONG_REALM referrals in order to find the correct DC. The final principal might be [email protected]
With yes winbindd enterprise principals will be used.
|Registry Path||Software\Policies\Samba\smb_conf\winbind use krb5 enterprise principals|
|Value Name||winbind use krb5 enterprise principals|