Is "Disjoint Namespace" fully functional?
davortvusir at gmail.com
Tue Aug 26 23:55:36 MDT 2014
2014-08-27 0:38 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> On Tue, 2014-08-26 at 16:24 -0300, Martinx - ジェームズ wrote:
>> During my first month with Samba4 AD DC (4.1.6 from Trusty), I was using a
>> feature called "Disjoint Namespaces" but, now (Samba 4.1.11), it isn't
>> working anymore.
>> Doc: http://technet.microsoft.com/en-us/library/cc731929(v=ws.10).aspx
>> I'm not sure if I did something wrong, or if it is a regression, because as
>> I said, I was using Samba 4.1.6 from Ubuntu Trusty, now I'm using Samba
>> 4.1.11 (from my own Ubuntu PPA:
>> https://launchpad.net/~martinx/+archive/ubuntu/ig ).... I'm not sure if it
>> stopped working because of the upgrade, or because my fault (I tried to add
>> more forward zones)... So, I'm asking here if it is really supported (the
>> Disjoint Namespace feature) (or not), or if it worked for me at first, "by
> "by luck" is the best answer I can give. In particular, the assumption
> in Linux krb5 client libs is that the kerberos realm can be found from
> the DNS domain, rather than the 'ask my KDC' approach windows uses.
"ask my KDC"? http://technet.microsoft.com/en-us/library/cc771255.aspx
says different. Using Kerberos to get authenticated and authorized dns
updates is one thing, letting clients update dns is another.
>> Or if there is
>> something that I can do to fix my "Disjoint Namespaces"...
> The best suggestion I can suggest is to do a git bisect between when it
> worked and now, and see if something is clear. It looks like an
> interesting feature, but it certainly has challenges.
> Andrew Bartlett
> Andrew Bartlett
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical