One Way trust SID issue

Toader, Radu X. -ND 1 Reputation point
2021-09-30T16:32:02.943+00:00

Hello,

I need some help in regards with a one way trust issue.

There is a one way trust between two domains in separate forests . (external, non-transitive) The trusted Domain will be B and trusting A
I am the administrator of domain A. When I want to add an account from the trusted Domain (B) into domain (A) into a security group I do see the friendly name and where the object from the other domain is located. When I'm checking back the security group, I receive an error/warning "Some of the objects name cannot be shown in their user-friendly form. This can happen if the object is from an external domain and that domain is not available to translate the object name" It shows the CN=S-1-2-3-123- SID nr.
The DNS is resolvable on both sides, trust was validated with no issues.
Also when I'm creating a share in Domain A I am able to map it using that account brought in from Domain B.

Any ideas where to start troubleshooting this?

The backend issue is as we do have a linux samba share that is joined to domain A and the final idea is that users from domain B to authenticate to the Samba share via the domain A.

I have another domain which is the development where I am able to see the friendly name, when I bring users to the trusting domain. Both domain, development and production have the same trust with domain B. Also if I try to map the drive hosted by Samba in the dev, I am able to map it with out issues using a user from domain B.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,657 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,252 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Jai Verma 451 Reputation points
    2021-09-30T18:20:35.617+00:00

    It appears that SID2Name resolution is failing. When you add first time using the wizard, it is ldap call and user display name is fetched, but later when you try to open the propeties page, you see the error message. Most common reason for this error is ports block(RPC range, mostly 49000+ ports are blocked on Domain A from Domain B).

    Here is what you can do. Download the tool PSGetSid where SID is failing to translate to name. Run the tool from command line using SID and see if you can translate to name. Collect network traffic and look for SYNC_RETRANSMITT packets from source to destination DC


  2. Gary Reynolds 8,816 Reputation points
    2021-09-30T18:29:39.703+00:00

    Hi @Toader, Radu X. -ND ,

    It been a while since I've looked at foreign security principals but here is a high level overview on how they work.

    Members of groups in AD are recorded by the member's DN, this is simple for member's in the same forest, however when member is added from an external domain a foreign security principal is created in the Container of the same off the root. This has the member's SID from the source domain, and the display name or the friendly display name. If remember correctly this is not populated when the FSP is created, it's populated by a background process, so may take some time to populate the display name. Have look at the FSPs in the Container to see if any of them have the display name set.

    I quick search found this article https://social.technet.microsoft.com/wiki/contents/articles/51367.active-directory-foreign-security-principals-and-special-identities.aspx

    I hope this help, if not, at least you have something to google now.

    Gary.

    No comments