We have a network share on a Windows Server 2022 which hosts a number of both "production" files as well as development files. We have two domains - a prod domain (ex. "prod.local") and a dev domain ("dev.local").
Some folders have been set up with "Everyone" access and, while a trust relationship was present between the prod and dev domains, dev users had read-only access to the shares, as expected.
However I've been asked to make the trust one way (dev trusts prod, prod doesn't trust dev) and now the "Everyone" permissions don't work any more.
I've tried to implement the changes suggested here but a) it seems those are solutions for Windows 10/11 and b) it still doesn't work (i.e. dev users still can't access the shares).
How should such a share be configured on a Windows Server to allow another domain access?
You were asked to configure a trust from two way to ONE way so that a that a share in PROD (and any other resource in PROD) is only accessible to PROD and NOT dev. Now dev users are unable to access the share in PROD.
This is the expected behavior.
Removing the two way trust is the correct thing to do. It should never have been created.
If you want a share (or any other resource) to be available to the dev domain, the resource (share) needs to be in a location independent from the PROD domain that should not be accessible from the dev domain.
Additional information:
The Everyone security principal was changed in 2003 to not be "Everyone". It is functionally identical to the Authenticated Users security principal. Previously Everyone functioned similar to a Guest account functionality, which is usually disabled. This means that the Everyone principal does not include Anonymous.
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users
In summary, Windows requires that users must authenticate to access a resource such as a share. There is no anonymous or guest access, and Everyone means only users that have authenticated from trusted domains.
The relationship between the resource in the PROD domain and the principals that you want to grant access has been specifically configured to disallow all access to all users that are from untrusted domains, to all resources, including shares.
I think you are mistaking trust for access privileges.
Trust means that you trust that domain to authenticate users, so that you can assign access privileges to that domain's users (in addition to your own).
Access privilege means that a user may or may not read or modify a network resource. In order to assign privileges you first need to have a user object - which can be from another domain that you trust. Usually, you group users and then assign privileges to the group. On the file level you use ACLs for that.
Without trust, you have no way to know who's trying to access a resource.
So basically, trust the other domain, but don't assign its users any privileges that you don't want.