winbindd is able to get kerberos tickets for pam_winbind with krb5_auth or wbinfo -K/--krb5auth=. winbindd (at least on a domain member) is never be able to have a complete picture of the trust topology (which is managed by the DCs). There might be uPNSuffixes and msDS-SPNSuffixes values, which don't belong to any AD domain at all. With no winbindd doesn't even get a complete picture of the topology. It is not really required to know about the trust topology. We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM) and use enterprise principals e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM and follow the WRONG_REALM referrals in order to find the correct DC. The final principal might be userfromB@INTERNALB.EXAMPLE.PRIVATE. With yes winbindd enterprise principals will be used. yes no