This option only takes effect when the option is set to domain or ads. If it is set to yes, winbindd periodically tries to scan for new trusted domains and adds them to a global list inside of winbindd. The list can be extracted with wbinfo --trusted-domains --verbose. Setting it to yes matches the behaviour of Samba 4.7 and older. The construction of that global list is not reliable and often incomplete in complex trust setups. In most situations the list is not needed any more for winbindd to operate correctly. E.g. for plain file serving via SMB using a simple idmap setup with autorid, tdb or ad. However some more complex setups require the list, e.g. if you specify idmap backends for specific domains. Some pam_winbind setups may also require the global list. If you have a setup that doesn't require the global list, you should set no. no