Is "Disjoint Namespace" fully functional?

Davor Vusir davortvusir at
Tue Aug 26 23:55:36 MDT 2014

2014-08-27 0:38 GMT+02:00 Andrew Bartlett <abartlet at>:
> On Tue, 2014-08-26 at 16:24 -0300, Martinx - ジェームズ wrote:
>> Guys,
>> During my first month with Samba4 AD DC (4.1.6 from Trusty), I was using a
>> feature called "Disjoint Namespaces" but, now (Samba 4.1.11), it isn't
>> working anymore.
>> Doc:
>> I'm not sure if I did something wrong, or if it is a regression, because as
>> I said, I was using Samba 4.1.6 from Ubuntu Trusty, now I'm using Samba
>> 4.1.11 (from my own Ubuntu PPA:
>> ).... I'm not sure if it
>> stopped working because of the upgrade, or because my fault (I tried to add
>> more forward zones)... So, I'm asking here if it is really supported (the
>> Disjoint Namespace feature) (or not), or if it worked for me at first, "by
>> luck"...
> "by luck" is the best answer I can give.  In particular, the assumption
> in Linux krb5 client libs is that the kerberos realm can be found from
> the DNS domain, rather than the 'ask my KDC' approach windows uses.
"ask my KDC"?
says different. Using Kerberos to get authenticated and authorized dns
updates is one thing, letting clients update dns is another.


>> Or if there is
>> something that I can do to fix my "Disjoint Namespaces"...
> The best suggestion I can suggest is to do a git bisect between when it
> worked and now, and see if something is clear.  It looks like an
> interesting feature, but it certainly has challenges.
> Andrew Bartlett
> --
> Andrew Bartlett
> Authentication Developer, Samba Team
> Samba Developer, Catalyst IT

More information about the samba-technical mailing list