Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1949
  • Last Modified:

Cross-Domain Share?

Hello,
I recently moved our file server to a new server and although everything is properly configured, users from our other domain are no longer able to access the shares.  The users from the other domain have identical usernames and password created in the file servers domain.  Before the move to the new server, they were connecting file without having to specify a username and password but now it requests authentication for any of the shares.  Share and file permissions are identical to the old server.  Any ideas?

0
sthubert
Asked:
sthubert
  • 10
  • 4
1 Solution
 
ReesAssociatesCommented:
What OS was the old server and what OS does the new server have?
0
 
sthubertAuthor Commented:
OLD = Windows 2003 Server - Domain Controller
NEW = Windows 2008 Server R2 - Application Server

I managed to get Anonymous Authentication working by enabling the guest account and the local policy "Let everyone permission apply to anonymous users".

But now I still cannot control the security with usernames.  In other words, the user can connect to the share and open all folders that are opened to everyone but if there are non inherited permissions set on a subfolder that the user should have access to it is denied.  So the user is being seen as anonymous rather than as his domain user.
0
 
sthubertAuthor Commented:
Just so everyone understand better, because I think I am a little unclear...

Domain 1 = domain1.com
Domain 2 = domain2.com

All users belonging to domain2.com exist in domain1.com with identical username and password.

TestUser is on a workstation in domain2.com and needs to access a shared folder on FileServer1 in domain1.com.

TestUser exists on domain1.com and domain2.com.

There are NO TRUSTS between the domains!
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
ReesAssociatesCommented:
Are the users mapping to the file shares?  If so, are they authenticating to the share with domain1\username?
0
 
sthubertAuthor Commented:
They are simply connecting to \\FileServer1.domain1.com\share.
I don't want them to have to authenticate at all since their users exist on both domains.  I need transparent authenitcation.
0
 
sthubertAuthor Commented:
It's like when we do file sharing from workgroup to workgroup we create the exact same user on both workstations and the user is able to connect to the share.  In my situation I'm doing domain to domain with exact same users on both domains.
0
 
sthubertAuthor Commented:
It used to work but can it be because our old fileserver was on one of our Domain Controllers?
0
 
sthubertAuthor Commented:
I just tested creating a share on one of our DC's and it works perfectly.  The user from domain2.com is able to access the share on the DC of domain1.com without providing any credentials.

Is there anyway I can get this working on my FileServer that is not a DC?
0
 
sthubertAuthor Commented:
Just as I thought.  If I create an identical Local User on FileServer1 the user is then able to access the file shares.  I need this to work without having to create the users locally.  I need my FileServer1 to somehow traverse the authentication to a DC.
0
 
ReesAssociatesCommented:
Just for clarification, why the lack of trust between the domains?  This would remove the need to enter duplicate username on each domain.
0
 
sthubertAuthor Commented:
We needed to duplicate the users so that we can all be on the same exchange server.  So there was no need for a trust between the 2 domains.
0
 
ReesAssociatesCommented:
What are your file sharing permissions set to?  Are you using your file system permissions to govern access?
0
 
sthubertAuthor Commented:
I don't know what the results of putting up a trust would be at this point since we have duplicate users on both domains.

I set the share to Everyone -Full and then use NTFS to manage the access.
0
 
oBdACommented:
Pass-through authentication only works against the local account database of the target server. In the case of a DC, the "local" account database is the domain user database, that's why it works when you're accessing a share on a DC that way.
There is no way to tell a member server to "redirect" a pass-through user to any other account database.
So that leaves you with four possibilities:
* Promote the file server to a DC (which can create other issues)
* Create local accounts on the file server
* use a logon script that asks the user for the account information in the other domain:
net use X: \\Server2008\SomeShare * /user:2008DOMAIN\%Username%
This is only necessary for the first share, once a secure connection has been established, you can map other drives without logon information.
* The recommended method when doing domain migrations: create a trust. A trust does NOT care about duplicate user names.
0
 
sthubertAuthor Commented:
Thanks oBdA for the useful info but I used option 5 where I put the 2 shares they required access to on our existing DC temporarily until we migrate everyone to domain1.com.

:)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now