One Way trust SID issue

Toader, Radu X. -ND 1

Hello,

I need some help in regards with a one way trust issue.

There is a one way trust between two domains in separate forests . (external, non-transitive) The trusted Domain will be B and trusting A
I am the administrator of domain A. When I want to add an account from the trusted Domain (B) into domain (A) into a security group I do see the friendly name and where the object from the other domain is located. When I'm checking back the security group, I receive an error/warning "Some of the objects name cannot be shown in their user-friendly form. This can happen if the object is from an external domain and that domain is not available to translate the object name" It shows the CN=S-1-2-3-123- SID nr.
The DNS is resolvable on both sides, trust was validated with no issues.
Also when I'm creating a share in Domain A I am able to map it using that account brought in from Domain B.

Any ideas where to start troubleshooting this?

The backend issue is as we do have a linux samba share that is joined to domain A and the final idea is that users from domain B to authenticate to the Samba share via the domain A.

I have another domain which is the development where I am able to see the friendly name, when I bring users to the trusting domain. Both domain, development and production have the same trust with domain B. Also if I try to map the drive hosted by Samba in the dev, I am able to map it with out issues using a user from domain B.

Sharon Zhao-MSFT 25,056 Reputation points Microsoft Vendor

2021-10-01T00:40:00.977+00:00

@Toader, Radu X. -ND
office-teams-linux-itpro tag is for Microsoft Teams running on Linux operating system. Your question is more related to the Linux, but not Microsoft Teams. I will remove this irrelated tag. Thanks for your understanding.

2 answers

Jai Verma 461 Reputation points

2021-09-30T18:20:35.617+00:00

It appears that SID2Name resolution is failing. When you add first time using the wizard, it is ldap call and user display name is fetched, but later when you try to open the propeties page, you see the error message. Most common reason for this error is ports block(RPC range, mostly 49000+ ports are blocked on Domain A from Domain B).

Here is what you can do. Download the tool PSGetSid where SID is failing to translate to name. Run the tool from command line using SID and see if you can translate to name. Collect network traffic and look for SYNC_RETRANSMITT packets from source to destination DC
Please sign in to rate this answer.
Toader, Radu X. -ND 1 Reputation point

2021-09-30T18:46:44.357+00:00

Hi, Thanks for the Advise I have already checked all the Trust Domain ports from Domain A to B and there are all available/listening

Radu Toader Sorin 21 Reputation points

2021-10-15T11:45:52.943+00:00

Hi I did a capture using Network Monitor from Domain A to B and below are the results

MSRPC MSRPC:c/o Bind: EPT(EPMP) UUID{E1AF8308-5D1F-11C9-91A4-08002B14A0FA} Call=0x2 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 {MSRPC:1283, TCP:1282, IPv4:1170}

MSRPC MSRPC:c/o Bind Ack: Call=0x2 Assoc Grp=0xAD01F4 Xmit=0x16D0 Recv=0x16D0 {MSRPC:1283, TCP:1282, IPv4:1170}

EPM:Request: ept_map: NDR, LSARpc(LSAT/LSAD) {12345778-1234-ABCD-EF00-0123456789AB} v0.0, RPC v5, 0.0.0.0:135 (0x87) [DCE endpoint resolution(135)] {MSRPC:1283, TCP:1282, IPv4:1170}

SRPC MSRPC:c/o Fault: Call=0x2 Context=0x1 Status=0x5 Cancels=0x0 {MSRPC:1283, TCP:1282, IPv4:1170}

Gary Reynolds 9,391 Reputation points

2021-10-15T22:24:27.797+00:00

Hi @Radu Toader Sorin

It's difficult to say what the problem is without seeing the full trace, but the last packet is reporting Status=0x5, this is the Windows error code for access denied, but might not be related.

Try this tool to do the SID\name lookup sid-converter at the same time capture the network trace, try resolving the following names\SIDs

domainb (netbios name) domainb\<user> SID (of domainb) SID (of user in domainb)

Gary.

Radu Toader Sorin 21 Reputation points

2021-10-18T13:40:27.667+00:00

Hi @GaryReynolds-8098 I noticed that there is a REG_DWORD set to 1 in the following registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc
But this is not defined in “Computer Configuration | Administrative Templates | System | Remote Procedure Call | Enable RPC Endpoint Mapper Client Authentication
Could that be the case? with the RPC ?

Radu Toader Sorin 21 Reputation points

2021-10-18T13:52:04.103+00:00

Hi Gary, While investigating I've noticed that there is a REG file under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc Enable AuthEpResolution set to 1. On the Local policy “Computer Configuration | Administrative Templates | System | Remote Procedure Call | Enable RPC Endpoint Mapper Client Authentication” everything is set to Not defined.

I'm using the below or PSGetSid to translate SId to names or vice-versa. I can resolve netbios domain sid from the trusting domain of the trusted, but not the user sid, giving me the error:

The trust relationship
between the primary domain and the trusted domain failed

$objSID = New-Object System.Security.Principal.SecurityIdentifier(“Sid“)

$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])

$objUser.Value

Gary Reynolds 9,391 Reputation points

2021-10-18T14:04:17.197+00:00

Hi,

The domain sid is resolved from the tdo object, while the user SID is passed over the trust to the other domain for resolution.

Have you tried to validate the trust to make sure the secure channel is still valid.

Gary.

Radu Toader Sorin 21 Reputation points

2021-10-18T14:21:33.007+00:00

Yes I was able to verify the trust from AD Domain and Trusts (from trusting to trusted)

Gary Reynolds 9,391 Reputation points

2021-10-18T14:55:01.67+00:00

Hi,

Couple of things to try, try doing the sid lookup from a different DC if you have one and from a member server to see if you get a different results.

With the psgetsid command use the computer argument to send the request to your DC, a DC in the trusted domain, and a member server in the trusted domain. If you get authentication errors check the event logs on the DCs in both domains to try and work why?

Have you configured selective authentication on the trust?

Gary.

Radu Toader Sorin 21 Reputation points

2021-10-18T15:10:33.253+00:00

Hi Gary,

I'm getting the same Error from all DC querying account:The trust relationship between the primary domain and the trusted domain failed. from all of the DC
The authentication model is Domain-Wide Authentication.

Gary Reynolds 9,391 Reputation points

2021-10-18T15:13:13.583+00:00

Was there any errors in the event log?

Are you able to get a network trace, in case that shows something?

Gary.

Gary Reynolds 9,391 Reputation points

2021-10-18T15:18:14.77+00:00

I can't remember the authentication mechanism for trusts off the top of head, but it might be worth enabling netlogon debug logs and see if this provides any insight

https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-debug-logging-netlogon-service

Gary Reynolds 9,391 Reputation points

2021-10-19T06:44:38.507+00:00

Hi @Radu Toader Sorin

I can see you have posted something but it's not being displayed. Can you repost.

Gary.

Radu Toader Sorin 21 Reputation points

2021-10-20T20:05:40.077+00:00

Hi Gary,

While investigating this and examining the trace, I found that there is a reg created in all DC HKLM\Software\Policies\Microsoft\Windows NT\RPC\EnableAuthEPResolution set to 1 (Enable) I'm my lab I was able to duplicate the exact SID2name resolution problem. With that reg removed the SID is translating normally. But this raises me some concerns about unauthenticated access.

Gary Reynolds 9,391 Reputation points

2021-10-20T20:45:48.057+00:00

Have a read of this article it does provide some context 399128, yes removing it will allow calls to the rpc mapper without authentication however the actual connection to the rpc service will be authenticated, so the risk should be low but a decision you will need to make.

Gary.
Sign in to comment
Gary Reynolds 9,391 Reputation points

2021-09-30T18:29:39.703+00:00

Hi @Toader, Radu X. -ND ,

It been a while since I've looked at foreign security principals but here is a high level overview on how they work.

Members of groups in AD are recorded by the member's DN, this is simple for member's in the same forest, however when member is added from an external domain a foreign security principal is created in the Container of the same off the root. This has the member's SID from the source domain, and the display name or the friendly display name. If remember correctly this is not populated when the FSP is created, it's populated by a background process, so may take some time to populate the display name. Have look at the FSPs in the Container to see if any of them have the display name set.

I quick search found this article https://social.technet.microsoft.com/wiki/contents/articles/51367.active-directory-foreign-security-principals-and-special-identities.aspx

I hope this help, if not, at least you have something to google now.

Gary.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment