[Samba] ID mapping and trusted domains

[Bob Bob]

Two small Samba sites, same OS and Samba version;

Debian GNU/Linux 6.0.5 (squeeze)
Samba 3.56

Joined via OpenVPN. (yes I am aware of problems with that. Just made a
fragmentation/MTU change that made a huge difference)

I have set these sites up separately with tdbasm and then joined with a
domain trust. The servers have the same users at each with the same
UID/GID's. winbind is set up and mostly works okay! (ie I think I have a
problem with it despite getting the proper wbinfo etc responses - below)

Domain names are CBNE and CBNEA

There is a WINS at one end, but lmhosts is also used. (And is the top of
order) The idea is that both sites can continue to run independently if
disconnected. (I am aware there are better ways to do this, like ldap..)
I am considering dropping the WINS entirely.

I am trying to run down various issues that I wont bore you all with at
the moment. I have a simple question though. From smb.conf

   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/bash
   winbind enum groups = yes
   winbind enum users = yes
   winbind separator = +

Is it necessary to separate the domains by idmaps? ie the above is the
same at each site.

Tnxs

Bob
==============

What makes me think winbind is not setup properly? If I use a WXP file
or share security interface to add or change anything I can "choose"
either domain and see it displayed, When however I view that again I no
longer see the local domain prefix. Its as if the local domain is going
straight to the (passwd) Unix ID. I have been considering changing
nsswitch.conf from;

passwd:         compat winbind
....to
passwd:         winbind compat

but the machines are remote and I don't want to have to make site visit
to get root access again!

I get similar domain prefix loss issues with an attached Terrastation
too. It also seems to lose the plot as far as group security is
concerned. I can fix by removing and re-adding the "faulty" group.