Is "Disjoint Namespace" fully functional?

Martinx - ジェームズ thiagocmartinsc at gmail.com
Tue Aug 26 13:24:53 MDT 2014 

Guys,

During my first month with Samba4 AD DC (4.1.6 from Trusty), I was using a
feature called "Disjoint Namespaces" but, now (Samba 4.1.11), it isn't
working anymore.

Doc: http://technet.microsoft.com/en-us/library/cc731929(v=ws.10).aspx

I'm not sure if I did something wrong, or if it is a regression, because as
I said, I was using Samba 4.1.6 from Ubuntu Trusty, now I'm using Samba
4.1.11 (from my own Ubuntu PPA:
https://launchpad.net/~martinx/+archive/ubuntu/ig ).... I'm not sure if it
stopped working because of the upgrade, or because my fault (I tried to add
more forward zones)... So, I'm asking here if it is really supported (the
Disjoint Namespace feature) (or not), or if it worked for me at first, "by
luck"...

What I did at first?

I followed the guide: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

So, I created my Samba4 AD DC with:

---
AD DC Hostname:                    ubuntu-ad-1
AD DNS Domain Name:                realm.company.com
Kerberos Realm:                    REALM.COMPANY.COM
NT4 Domain Name/NetBIOS Name:      COMPANY
IP Address:                        192.168.1.10
Server Role:                       Domain Controller (DC)
Domain Admin Password:             pa$$w0rd
Forwarder DNS Server:              192.168.1.1

Provisioned with: `samba-tool domain provision --realm REALM.COMPANY.COM
--domain COMPANY --adminpass AdmPass123 --server-role=dc --use-xattr=yes
--use-rfc2307 --function-level=2008_R2 --dns-backend=BIND9_DLZ`
---

Everything is running fine, `Domain Computers` got registered within *.
realm.company.com" as expected, then, I followed the "Disjoint Namespace"
doc from Micro$oft, to create an extra "Forward Lookup Zone", called: "
company.com", using "DNS Manager".

Then, I opened the software "ADSI Edit - adsiedit.msc", to connect to my "
ubuntu-ad-1.realm.company.com", to add "company.com" to
"msDS-AllowedDNSSuffixes" var. It worked...

Right after configuring "msDS-AllowedDNSSuffixes", I tried to join a new
computer into "*.company.com", instead of "*.realm.company.com", for my
surprise, it worked!! I managed to join new Linux machine (station-1) into
"*.company.com", so, *Samba with Disjoint Namespaces seems to be working!*

...Not anymore...   :'(

Today, I'm trying to add more machines to that "*.company.com" domain, and
I'm seeing:

---
root at station-2:~# net ads join -U tmartins%SENHA
Using short domain name -- COMPANY
Joined 'STATION-2' to dns domain 'realm.company.com'
*DNS Update for station-2.company.com <http://station-2.company.com>
failed: ERROR_DNS_UPDATE_FAILED*
*DNS update failed: NT_STATUS_UNSUCCESSFUL*
---

What am I missing?!

Because the first "station-1" got registered within the new lookup forward
zone "*.company.com" without any problem but, now, it isn't working
anymore... And I don't know if this is a regression of 4.1.11, or if it is
my mistake, or if it is not even supported (Disjoint)...

Also, I tried to create more forward zones, like "*.cloud.company.com", to
join my OpenStack Instances... Or "*.office.company.com" to join my Office
Desktops and regular servers... Maybe it works only for 1 extra forward
zone?! And if you tries to add more, it breaks?!

BTW, I'm seeing here on this mail list, lots of patches about "subdomains",
"trust relationship" and etc... Maybe are you guys working on this?! I
would like to know if it is better to wait for Samba 4.2... Or if there is
something that I can do to fix my "Disjoint Namespaces"...

I really appreciate any help!

Cheers!
Thiago

More information about the samba-technical mailing list