[Samba] Trusted domains, one-domain users and ACL's modifications

[Nahuel Greco]

Hi, currently I have the following Samba 3.0.2rc2 setup:

[w2k 1] --- [Samba1] ----VPN Link---- [Samba2] --- [w2k 2]

Samba1 and Samba2 are PDC's, there is one domain for each network. I'm trying
to configure a symmetric trust relationship between them. Both Samba servers
have "wins support = yes", and I added the other server/domain to their
wins.dat (notably the line with the "0x1b" character), because broadcasts
over this non-bridged vpn dont work (I killed nmbd before doing that, so
wins.dat dont get overwrited). 

The relations in both ways are established, but only when I run "net rpc
trustdom establish" many times. I don't know if this is a timeout problem
or a Samba bug, but note that the vpn latency is about 20ms, and
strangely I have better results when I enable the debug messages (-d 9).
What do you think? 

But that isn't my principal problem, it's:

Now, if some w2k user belongs to both domains (but maybe with different
passwords on each one), he can sit on w2k-1 or w2k-2 and change the ACLs
of files on their workstation, using the users list of both domains. But,
and this is my problem, if the user only belongs to one domain (suppose
DOMAIN1), when he tries to change the ACLs of a file, only the users of
DOMAIN1 are listed, and when he tries to retrieve the list of users of
DOMAIN2, then Windows open an dialog asking for an username and a
password of an user of DOMAIN2. 

So, my question is, in Microsoft networks, when you establish a trusted
relation between domains, users must belongs to _both_ domains to make
it work? isn't possible for a single domain user to access to both
domains users lists when he wants to setup an ACL for file?

Note, I know about AD, but I want to know if I can do this without using
it. Also, note that this isn't a winbind problem, because I don't want
(for the moment) to access to Samba shares, only to the shares of both
w2k workstations from these workstations. 

Saludos,
Nahuel Greco.