Is "Disjoint Namespace" fully functional?

Mon Sep 1 00:17:24 MDT 2014

On Mon, 2014-09-01 at 11:34 +1200, Andrew Bartlett wrote:
> On Wed, 2014-08-27 at 07:55 +0200, Davor Vusir wrote:
> > 2014-08-27 0:38 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> > > On Tue, 2014-08-26 at 16:24 -0300, Martinx - ジェームズ wrote:
> > >> Guys,
> > >>
> > >> During my first month with Samba4 AD DC (4.1.6 from Trusty), I was using a
> > >> feature called "Disjoint Namespaces" but, now (Samba 4.1.11), it isn't
> > >> working anymore.
> > >>
> > >> Doc: http://technet.microsoft.com/en-us/library/cc731929(v=ws.10).aspx
> > >>
> > >> I'm not sure if I did something wrong, or if it is a regression, because as
> > >> I said, I was using Samba 4.1.6 from Ubuntu Trusty, now I'm using Samba
> > >> 4.1.11 (from my own Ubuntu PPA:
> > >> https://launchpad.net/~martinx/+archive/ubuntu/ig ).... I'm not sure if it
> > >> stopped working because of the upgrade, or because my fault (I tried to add
> > >> more forward zones)... So, I'm asking here if it is really supported (the
> > >> Disjoint Namespace feature) (or not), or if it worked for me at first, "by
> > >> luck"...
> > >
> > > "by luck" is the best answer I can give.  In particular, the assumption
> > > in Linux krb5 client libs is that the kerberos realm can be found from
> > > the DNS domain, rather than the 'ask my KDC' approach windows uses.
> > >
> > "ask my KDC"? http://technet.microsoft.com/en-us/library/cc771255.aspx
> > says different. Using Kerberos to get authenticated and authorized dns
> > updates is one thing, letting clients update dns is another.
> 
> I'm not sure quite what you refer to here, but for the clarity of
> others, this page sums up my concerns:
> 
> http://technet.microsoft.com/en-us/library/cc731125%28v=ws.10%29.aspx
> 
> Specifically, linux systems and Samba are quite likely to be systems
> that assume that the primary DNS suffix the the same as the AD domain
> suffix, absent special configuration in the krb5.conf (domain_realm
> mapping) or support for and the addition of magic TXT records (I think
> only Heimdal can do that, and it is off by default anyway).
> 
> Expect trouble. 

For what is worth, both MIT and Heimdal support using the _kerberos TXT
record to associate a DNS domain to a REALM and both clients check it if
enabled in krb5.conf

Also we use disjoint namespaces in FreeIPA, so allow client from
multiple DNS domains to be joined to one FreeIPA server. In order to do
that some configuration need to be distributed to the client
(domain_realm mappings), although MIT is working on making it easier to
let the KDC do the mappings and have clients ask the KDC.

We communicate the DNS namespaces we control to Trusted Windows AD
realms too, so Windows clients can also find the right KDC.

Some care needs to be taken, but it is doable.

Simo.