Announcement

Collapse
No announcement yet.

User lookup in one-way trust

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User lookup in one-way trust

    To explain the issue in brief manner:
    I have 3 domain controllers, each one hosting different domain in their respective forests - calling them X, Y, Z

    X DC is Win 2003 R2
    Other 2 are Win 2008 server

    Created 2 trust relations, each one being one-way, external outgoing trust from X to Y and X to Z

    Configured my Samba server against the X domain controller.
    ----------------------------------------------
    So far so good.
    I have 2 client machines - Win XP and Win 7

    1. Win 7 client - Joined to Z domain
    If I logon as Z domain admin or any other user and try to add more users to access the samba share, in the 'Locations' button of 'security tab', if I try to 'find user' from Y domain, it asks for credentials of that domain.
    However it allows to 'find users' from the X domain without credentials for X domain

    2. Win XP - Joined to Y domain
    If I logon as Y domain administrator and try to add more user, the 'Locations' buttons allows me to 'find users' from both X and Z domain as well, without asking password
    Login from any other user from Y domain (not admin), it allows me 'find users' from X domain but for the Z domain, it asks credentials for Admin
    ---------------------------------------------------------------------------
    So, this has really confused me and I would like to understand how this works.
    I am using same samba share to connect from both client(connecting to clients through remote desktop)

    Is there some config that is missing on my Samba server or is it purely how my Widows client and the AD server interact ?

    Why is there difference between Win XP and Win 7 behaviour and then Admin user and any other user ?

    I was expecting that any user(admin or not) from Y and Z domain would not be able to 'find users' from each other domain without creds.
    Moreover, even the X domain users 'find users' would not work if my client is part of Y or Z domain

    Please help me understand this. I would share any logs/details about the setup willingly.
    I am given an Admin type task for the first time and my AD skills are too weak

  • #2
    Re: User lookup in one-way trust

    *** bump ***

    Need some direction to think/try upon to resolve this or atleast understand why it is behaving this way

    Comment


    • #3
      Re: User lookup in one-way trust

      Please read and follow the forum rules: http://forums.petri.com/announcement.php?f=16
      and do not bump your posts

      All members give up their free time to help and when someone has something to contribute, they will.

      If you need faster support, contact Microsoft Product Support Services, who will give you immediate help. All major credit cards accepted
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: User lookup in one-way trust

        I was able to find answer to one of my 2 concerns. Posting the reply here in case someone hits the same issue:
        Why do 'admin' from Y domain able to lookup users from 'Z' domain without credentials from XP machine, even when they are not connected by direct trust

        Issue was with the passwords. The DC have same 'admin' credentials for both domain and XP was caching that. It behaves as expected if passwords are different.

        I am not trying to find configs where a user from Y domain is not able to lookup X domain users.
        Trying my hands on 'Do not allow anonymous enumeration for SAM ...' but no success yet.

        Comment


        • #5
          Re: User lookup in one-way trust

          Originally posted by Ossian View Post
          If you need faster support, contact Microsoft Product Support Services, who will give you immediate help. All major credit cards accepted
          Thanks Ossian for pointing me in the right direction.

          I posted similar question on other forums and also made judicious use of my MSDN Subscription to get answer to one of my 2 concerns

          Comment

          Working...
          X