[Samba] Trouble with trusted domains

[Martin Zielinski]

Hello list,

perhaps someone can guide me, finding out what's going wrong in the
following scenario (Active Directory , Samba 3.0.20b same with 3.0.28a):

CHILD1.CONTOSO.COM <-trusts-> CONTOSO.COM <-trusts->CHILD2.CONTOSO.COM
  |                                                    | |
  User: CHILD1\testtest                                | Samba
                                                       Vista

CHILD1\testtest -> Vista : works (of course :-()
CHLID1\testtest -> Samba : password prompt (logon failure)

What I can see, is that Samba decodes the user correctly out of kerberos
ticket as testtest at child1.contoso.com.

Then, Samba (better to say: winbind) tries to resolve the shortened name
CHILD1\testtest into a SID.

winbind does this with a LSA RPC call to CHILD2 (not to CHILD1, where
the user comes from) and receives a "NO MAPPED USER" reply.

Now my question is: shouldn't Samba ask CHILD1 for the user
CHILD1\testtest or
should CHILD2 know about user CHILD1\testtest?
Where lies the mistake?

Using rpcclient, I can resolve the name into a SID when addressing
CHILD1 *or* CONTOSO, but not CHILD2.

"wbinfo -n CHILD1\testtest" on Samba also fails.

Thanks,
Martin