Is "Disjoint Namespace" fully functional?

Davor Vusir davortvusir at gmail.com
Tue Aug 26 23:55:36 MDT 2014


2014-08-27 0:38 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> On Tue, 2014-08-26 at 16:24 -0300, Martinx - ジェームズ wrote:
>> Guys,
>>
>> During my first month with Samba4 AD DC (4.1.6 from Trusty), I was using a
>> feature called "Disjoint Namespaces" but, now (Samba 4.1.11), it isn't
>> working anymore.
>>
>> Doc: http://technet.microsoft.com/en-us/library/cc731929(v=ws.10).aspx
>>
>> I'm not sure if I did something wrong, or if it is a regression, because as
>> I said, I was using Samba 4.1.6 from Ubuntu Trusty, now I'm using Samba
>> 4.1.11 (from my own Ubuntu PPA:
>> https://launchpad.net/~martinx/+archive/ubuntu/ig ).... I'm not sure if it
>> stopped working because of the upgrade, or because my fault (I tried to add
>> more forward zones)... So, I'm asking here if it is really supported (the
>> Disjoint Namespace feature) (or not), or if it worked for me at first, "by
>> luck"...
>
> "by luck" is the best answer I can give.  In particular, the assumption
> in Linux krb5 client libs is that the kerberos realm can be found from
> the DNS domain, rather than the 'ask my KDC' approach windows uses.
>
"ask my KDC"? http://technet.microsoft.com/en-us/library/cc771255.aspx
says different. Using Kerberos to get authenticated and authorized dns
updates is one thing, letting clients update dns is another.

Regards
Davor

>> Or if there is
>> something that I can do to fix my "Disjoint Namespaces"...
>
> The best suggestion I can suggest is to do a git bisect between when it
> worked and now, and see if something is clear.  It looks like an
> interesting feature, but it certainly has challenges.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
>
>


More information about the samba-technical mailing list