AD auth with one-way trust

isilon lives in domain1, has AD auth with domain1. has been working for a long time. domain1 is the only non-local auth provider under access/authentication providers/active directory/ (nothing under 'kerberos provider')

assume the following windows permissions: 

\\isilonSMBserver.domain1.com\shared\ is shared full control to "everyone" and NTFS gives 'authenticated users' read. 

\\non-isilonserver-plainwindows.domain1.com\shared\ is shared full control to "everyone" and NTFS gives 'authenticated users.' read

domain1 has a one-way AD forest trust with domain2. that is, domain2 users can log into domain1 resources. 

from a machine in domain2, domain2\user2 can browse and map drives to any \\non-isilonserver-plainwindows.domain1.com\shared\ share. 

but when trying to access \\isilonSMBserver.domain1.com\shared\, domain2\user2 gets. 

it's not a DNS thing, because from the same machine in domain2, i can map a drive to  \\isilonSMBserver.domain1.com\shared\.if i provide alternate credentials domain1\user1. 

is there something special to do in the /isilon/share/zone/ or in domain1 AD, maybe with kerberos, that my plain old windows file servers are doing automatically because they are plain old windows domain members? in domain2, there are no computer objects, or SPNs, or anything special set up for any domain1 objects, yet somehow  \\non-isilonserver-plainwindows.domain1.com\shared\ "just works" for domain2 users. it's only isilon-based shares that can't seem to figure out how to let domain2 users in. 

i will also note that on the domain1 active directory authentication provide on the isilonr, domain2 (the fqdn) is listed under "trusted domains that are always recognized." field.