It sounds like the authentication token being passed to the NAS either contains only the user account information, or contains the wrong domain information, both of which would cause the NAS to not know who they were and prompt for credentials.
If you setup a dummy user account in DOM1, grant that dummy account access rights to the share, then try to hit the NAS as a person in DOM2 or DOM3, can you then provide alternate credentials and get into the share point?