question

ToaderRaduXND-6535 avatar image
0 Votes"
ToaderRaduXND-6535 asked GaryReynolds-8098 commented

One Way trust SID issue

Hello,

I need some help in regards with a one way trust issue.

There is a one way trust between two domains in separate forests . (external, non-transitive) The trusted Domain will be B and trusting A
I am the administrator of domain A. When I want to add an account from the trusted Domain (B) into domain (A) into a security group I do see the friendly name and where the object from the other domain is located. When I'm checking back the security group, I receive an error/warning "Some of the objects name cannot be shown in their user-friendly form. This can happen if the object is from an external domain and that domain is not available to translate the object name" It shows the CN=S-1-2-3-123- SID nr.
The DNS is resolvable on both sides, trust was validated with no issues.
Also when I'm creating a share in Domain A I am able to map it using that account brought in from Domain B.

Any ideas where to start troubleshooting this?

The backend issue is as we do have a linux samba share that is joined to domain A and the final idea is that users from domain B to authenticate to the Samba share via the domain A.

I have another domain which is the development where I am able to see the friendly name, when I bring users to the trusting domain. Both domain, development and production have the same trust with domain B. Also if I try to map the drive hosted by Samba in the dev, I am able to map it with out issues using a user from domain B.


windows-serverwindows-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ToaderRaduXND-6535
office-teams-linux-itpro tag is for Microsoft Teams running on Linux operating system. Your question is more related to the Linux, but not Microsoft Teams. I will remove this irrelated tag. Thanks for your understanding.

0 Votes 0 ·
JaiVerma-7010 avatar image
0 Votes"
JaiVerma-7010 answered GaryReynolds-8098 commented

It appears that SID2Name resolution is failing. When you add first time using the wizard, it is ldap call and user display name is fetched, but later when you try to open the propeties page, you see the error message. Most common reason for this error is ports block(RPC range, mostly 49000+ ports are blocked on Domain A from Domain B).

Here is what you can do. Download the tool PSGetSid where SID is failing to translate to name. Run the tool from command line using SID and see if you can translate to name. Collect network traffic and look for SYNC_RETRANSMITT packets from source to destination DC

· 14
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, Thanks for the Advise I have already checked all the Trust Domain ports from Domain A to B and there are all available/listening

0 Votes 0 ·

Hi I did a capture using Network Monitor from Domain A to B and below are the results

MSRPC MSRPC:c/o Bind: EPT(EPMP) UUID{E1AF8308-5D1F-11C9-91A4-08002B14A0FA} Call=0x2 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 {MSRPC:1283, TCP:1282, IPv4:1170}

MSRPC MSRPC:c/o Bind Ack: Call=0x2 Assoc Grp=0xAD01F4 Xmit=0x16D0 Recv=0x16D0 {MSRPC:1283, TCP:1282, IPv4:1170}

EPM:Request: ept_map: NDR, LSARpc(LSAT/LSAD) {12345778-1234-ABCD-EF00-0123456789AB} v0.0, RPC v5, 0.0.0.0:135 (0x87) [DCE endpoint resolution(135)] {MSRPC:1283, TCP:1282, IPv4:1170}

SRPC MSRPC:c/o Fault: Call=0x2 Context=0x1 Status=0x5 Cancels=0x0 {MSRPC:1283, TCP:1282, IPv4:1170}






0 Votes 0 ·
GaryReynolds-8098 avatar image GaryReynolds-8098 RaduToaderSorin-9993 ·

Hi @RaduToaderSorin-9993

It's difficult to say what the problem is without seeing the full trace, but the last packet is reporting Status=0x5, this is the Windows error code for access denied, but might not be related.

Try this tool to do the SID\name lookup sid-converter at the same time capture the network trace, try resolving the following names\SIDs

  domainb (netbios name)
  domainb\<user>
  SID (of domainb)
  SID (of user in domainb)

Gary.




0 Votes 0 ·
RaduToaderSorin-9993 avatar image RaduToaderSorin-9993 GaryReynolds-8098 ·

Hi @GaryReynolds-8098 I noticed that there is a REG_DWORD set to 1 in the following registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc
But this is not defined in “Computer Configuration | Administrative Templates | System | Remote Procedure Call | Enable RPC Endpoint Mapper Client Authentication
Could that be the case? with the RPC ?

0 Votes 0 ·
RaduToaderSorin-9993 avatar image RaduToaderSorin-9993 RaduToaderSorin-9993 ·

Hi Gary, While investigating I've noticed that there is a REG file under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc Enable AuthEpResolution set to 1. On the Local policy “Computer Configuration | Administrative Templates | System | Remote Procedure Call | Enable RPC Endpoint Mapper Client Authentication” everything is set to Not defined.

I'm using the below or PSGetSid to translate SId to names or vice-versa. I can resolve netbios domain sid from the trusting domain of the trusted, but not the user sid, giving me the error:

The trust relationship
between the primary domain and the trusted domain failed

$objSID = New-Object System.Security.Principal.SecurityIdentifier(“Sid“)

$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])

$objUser.Value

0 Votes 0 ·
GaryReynolds-8098 avatar image GaryReynolds-8098 RaduToaderSorin-9993 ·

Hi,

The domain sid is resolved from the tdo object, while the user SID is passed over the trust to the other domain for resolution.

Have you tried to validate the trust to make sure the secure channel is still valid.

Gary.

0 Votes 0 ·
Show more comments
GaryReynolds-8098 avatar image
0 Votes"
GaryReynolds-8098 answered GaryReynolds-8098 edited

Hi @ToaderRaduXND-6535,

It been a while since I've looked at foreign security principals but here is a high level overview on how they work.

Members of groups in AD are recorded by the member's DN, this is simple for member's in the same forest, however when member is added from an external domain a foreign security principal is created in the Container of the same off the root. This has the member's SID from the source domain, and the display name or the friendly display name. If remember correctly this is not populated when the FSP is created, it's populated by a background process, so may take some time to populate the display name. Have look at the FSPs in the Container to see if any of them have the display name set.

I quick search found this article https://social.technet.microsoft.com/wiki/contents/articles/51367.active-directory-foreign-security-principals-and-special-identities.aspx

I hope this help, if not, at least you have something to google now.

Gary.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.