Index: samba/source/smbd/sesssetup.c
===================================================================
--- samba/source/smbd/sesssetup.c.orig
+++ samba/source/smbd/sesssetup.c
@@ -247,6 +247,7 @@ static int reply_spnego_kerberos(connect
 	BOOL map_domainuser_to_guest = False;
 	BOOL username_was_mapped;
 	PAC_LOGON_INFO *logon_info = NULL;
+	BOOL trustaccount = False;
 
 	ZERO_STRUCT(ticket);
 	ZERO_STRUCT(pac_data);
@@ -407,6 +408,28 @@ static int reply_spnego_kerberos(connect
 
 	pw = smb_getpwnam( mem_ctx, user, real_username, True );
 
+	if (!pw && lp_opendirectory() && strchr_m(client, '$')) {
+		struct samu *sam_pass = NULL;
+               	char *fullname = NULL;
+
+               	DEBUG(1,("Lookup trust account via passdb (%s)\n",user));
+
+               	sam_pass = samu_new(NULL);
+               	trustaccount = pdb_getsampwnam(sam_pass, client);
+
+		/* If this is a trust account, map it to guest because OD
+		 * doesn't have a corresponding user account.
+		 */
+               	if (trustaccount == True) {
+	       		fullname = pdb_get_fullname (sam_pass);
+			map_domainuser_to_guest = True;
+                       	fstrcpy(real_username, fullname);
+                       	DEBUG(1,("trust account found via passdb fullname(%s)\n",fullname));
+               	}
+
+               	TALLOC_FREE(sam_pass);
+       	}
+
 	if (pw) {
 		/* if a real user check pam account restrictions */
 		/* only really perfomed if "obey pam restriction" is true */
@@ -427,7 +450,8 @@ static int reply_spnego_kerberos(connect
 		   did not have a local uid but has been authenticated, then 
 		   map them to a guest account */
 
-		if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID){ 
+		if (map_domainuser_to_guest ||
+		    lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
 			map_domainuser_to_guest = True;
 			fstrcpy(user,lp_guestaccount());
 			pw = smb_getpwnam( mem_ctx, user, real_username, True );