Is "Disjoint Namespace" fully functional?

Martinx - ジェームズ thiagocmartinsc at gmail.com
Tue Aug 26 15:54:13 MDT 2014 

Just for the record, the entry for "station-2" on its /etc/hosts *does not
point* to "127.0.1.1". It points to its own IPv4 addr, like this:

`station-2`s /etc/hosts file:
---
127.0.0.1 localhost.localdomain localhost
192.168.1.20 station-2.company.com station-2
---

I found on the net that this is a common error that triggers a DNS update
error while joining a domain but, that is not my case...

Tks in advance!

-
 Thiago


On 26 August 2014 16:24, Martinx - ジェームズ <thiagocmartinsc at gmail.com> wrote:

> Guys,
>
> During my first month with Samba4 AD DC (4.1.6 from Trusty), I was using a
> feature called "Disjoint Namespaces" but, now (Samba 4.1.11), it isn't
> working anymore.
>
> Doc: http://technet.microsoft.com/en-us/library/cc731929(v=ws.10).aspx
>
> I'm not sure if I did something wrong, or if it is a regression, because
> as I said, I was using Samba 4.1.6 from Ubuntu Trusty, now I'm using Samba
> 4.1.11 (from my own Ubuntu PPA:
> https://launchpad.net/~martinx/+archive/ubuntu/ig ).... I'm not sure if
> it stopped working because of the upgrade, or because my fault (I tried to
> add more forward zones)... So, I'm asking here if it is really supported
> (the Disjoint Namespace feature) (or not), or if it worked for me at first,
> "by luck"...
>
> What I did at first?
>
> I followed the guide: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>
> So, I created my Samba4 AD DC with:
>
> ---
> AD DC Hostname:                    ubuntu-ad-1
> AD DNS Domain Name:                realm.company.com
> Kerberos Realm:                    REALM.COMPANY.COM
> NT4 Domain Name/NetBIOS Name:      COMPANY
> IP Address:                        192.168.1.10
> Server Role:                       Domain Controller (DC)
> Domain Admin Password:             pa$$w0rd
> Forwarder DNS Server:              192.168.1.1
>
> Provisioned with: `samba-tool domain provision --realm REALM.COMPANY.COM
> --domain COMPANY --adminpass AdmPass123 --server-role=dc --use-xattr=yes
> --use-rfc2307 --function-level=2008_R2 --dns-backend=BIND9_DLZ`
> ---
>
> Everything is running fine, `Domain Computers` got registered within *.
> realm.company.com" as expected, then, I followed the "Disjoint Namespace"
> doc from Micro$oft, to create an extra "Forward Lookup Zone", called: "
> company.com", using "DNS Manager".
>
> Then, I opened the software "ADSI Edit - adsiedit.msc", to connect to my "
> ubuntu-ad-1.realm.company.com", to add "company.com" to
> "msDS-AllowedDNSSuffixes" var. It worked...
>
> Right after configuring "msDS-AllowedDNSSuffixes", I tried to join a new
> computer into "*.company.com", instead of "*.realm.company.com", for my
> surprise, it worked!! I managed to join new Linux machine (station-1) into
> "*.company.com", so, *Samba with Disjoint Namespaces seems to be working!*
>
> ...Not anymore...   :'(
>
> Today, I'm trying to add more machines to that "*.company.com" domain,
> and I'm seeing:
>
> ---
> root at station-2:~# net ads join -U tmartins%SENHA
> Using short domain name -- COMPANY
> Joined 'STATION-2' to dns domain 'realm.company.com'
> *DNS Update for station-2.company.com <http://station-2.company.com>
> failed: ERROR_DNS_UPDATE_FAILED*
> *DNS update failed: NT_STATUS_UNSUCCESSFUL*
> ---
>
> What am I missing?!
>
> Because the first "station-1" got registered within the new lookup forward
> zone "*.company.com" without any problem but, now, it isn't working
> anymore... And I don't know if this is a regression of 4.1.11, or if it is
> my mistake, or if it is not even supported (Disjoint)...
>
> Also, I tried to create more forward zones, like "*.cloud.company.com",
> to join my OpenStack Instances... Or "*.office.company.com" to join my
> Office Desktops and regular servers... Maybe it works only for 1 extra
> forward zone?! And if you tries to add more, it breaks?!
>
> BTW, I'm seeing here on this mail list, lots of patches about
> "subdomains", "trust relationship" and etc... Maybe are you guys working on
> this?! I would like to know if it is better to wait for Samba 4.2... Or if
> there is something that I can do to fix my "Disjoint Namespaces"...
>
> I really appreciate any help!
>
> Cheers!
> Thiago
>
>

More information about the samba-technical mailing list