Is "Disjoint Namespace" fully functional?

Andrew Bartlett abartlet at
Sun Aug 31 17:34:46 MDT 2014

On Wed, 2014-08-27 at 07:55 +0200, Davor Vusir wrote:
> 2014-08-27 0:38 GMT+02:00 Andrew Bartlett <abartlet at>:
> > On Tue, 2014-08-26 at 16:24 -0300, Martinx - ジェームズ wrote:
> >> Guys,
> >>
> >> During my first month with Samba4 AD DC (4.1.6 from Trusty), I was using a
> >> feature called "Disjoint Namespaces" but, now (Samba 4.1.11), it isn't
> >> working anymore.
> >>
> >> Doc:
> >>
> >> I'm not sure if I did something wrong, or if it is a regression, because as
> >> I said, I was using Samba 4.1.6 from Ubuntu Trusty, now I'm using Samba
> >> 4.1.11 (from my own Ubuntu PPA:
> >> ).... I'm not sure if it
> >> stopped working because of the upgrade, or because my fault (I tried to add
> >> more forward zones)... So, I'm asking here if it is really supported (the
> >> Disjoint Namespace feature) (or not), or if it worked for me at first, "by
> >> luck"...
> >
> > "by luck" is the best answer I can give.  In particular, the assumption
> > in Linux krb5 client libs is that the kerberos realm can be found from
> > the DNS domain, rather than the 'ask my KDC' approach windows uses.
> >
> "ask my KDC"?
> says different. Using Kerberos to get authenticated and authorized dns
> updates is one thing, letting clients update dns is another.

I'm not sure quite what you refer to here, but for the clarity of
others, this page sums up my concerns:

Specifically, linux systems and Samba are quite likely to be systems
that assume that the primary DNS suffix the the same as the AD domain
suffix, absent special configuration in the krb5.conf (domain_realm
mapping) or support for and the addition of magic TXT records (I think
only Heimdal can do that, and it is off by default anyway).

Expect trouble. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list