Explorer security frame application compatibility issues in network file system

Explorer has been a rich source of application compatibility issues in our network redirector. One that I am stuck on at the moment involves editing the security descriptor for files on our network file system. I’ve overcome the problems with getting the security frame to come up that have been discussed periodically on this list, but now explorer is giving me trouble when trying to add ACLs for new users.

Specifically, it looks like explorer wants to know to which domain the remote server belongs before bringing up the user selection dialog. In the call stack, I see DsRoleGetPrimaryDomainInformation, which eventually translates to an attempt to open the lsarpc named pipe on my remote server. The trouble is, while the client machine is a member of a domain (call it CORP), the remote server is not (it is not even a Windows server). The server stores persistent ACLs for users in CORP, and I’d like the client to present those users in the object selector.

I’ve tried various tricks to work around this, e.g. setting DeviceType to something other than FILE_DEVICE_NETWORK_FILE_SYSTEM in hopes that explorer would treat the mounted file system as a local device, but to no avail; I don’t even see an IRP_MJ_QUERY_VOLUME_INFORMATION arising from the explorer process in the trace, so I don’t think it’s even checking the device type.

Has anybody run into this before, supporting persistent ACLs on a non-windows remote server? Is there any alternative to adding server support for the appropriate RPC?