Is "Disjoint Namespace" fully functional?
Andrew Bartlett
abartlet at samba.org
Mon Sep 1 00:30:49 MDT 2014
On Mon, 2014-09-01 at 02:17 -0400, Simo wrote:
> On Mon, 2014-09-01 at 11:34 +1200, Andrew Bartlett wrote:
> > On Wed, 2014-08-27 at 07:55 +0200, Davor Vusir wrote:
> > > 2014-08-27 0:38 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> > > > On Tue, 2014-08-26 at 16:24 -0300, Martinx - ジェームズ wrote:
> > > >> Guys,
> > > >>
> > > >> During my first month with Samba4 AD DC (4.1.6 from Trusty), I was using a
> > > >> feature called "Disjoint Namespaces" but, now (Samba 4.1.11), it isn't
> > > >> working anymore.
> > > >>
> > > >> Doc: http://technet.microsoft.com/en-us/library/cc731929(v=ws.10).aspx
> > > >>
> > > >> I'm not sure if I did something wrong, or if it is a regression, because as
> > > >> I said, I was using Samba 4.1.6 from Ubuntu Trusty, now I'm using Samba
> > > >> 4.1.11 (from my own Ubuntu PPA:
> > > >> https://launchpad.net/~martinx/+archive/ubuntu/ig ).... I'm not sure if it
> > > >> stopped working because of the upgrade, or because my fault (I tried to add
> > > >> more forward zones)... So, I'm asking here if it is really supported (the
> > > >> Disjoint Namespace feature) (or not), or if it worked for me at first, "by
> > > >> luck"...
> > > >
> > > > "by luck" is the best answer I can give. In particular, the assumption
> > > > in Linux krb5 client libs is that the kerberos realm can be found from
> > > > the DNS domain, rather than the 'ask my KDC' approach windows uses.
> > > >
> > > "ask my KDC"? http://technet.microsoft.com/en-us/library/cc771255.aspx
> > > says different. Using Kerberos to get authenticated and authorized dns
> > > updates is one thing, letting clients update dns is another.
> >
> > I'm not sure quite what you refer to here, but for the clarity of
> > others, this page sums up my concerns:
> >
> > http://technet.microsoft.com/en-us/library/cc731125%28v=ws.10%29.aspx
> >
> > Specifically, linux systems and Samba are quite likely to be systems
> > that assume that the primary DNS suffix the the same as the AD domain
> > suffix, absent special configuration in the krb5.conf (domain_realm
> > mapping) or support for and the addition of magic TXT records (I think
> > only Heimdal can do that, and it is off by default anyway).
> >
> > Expect trouble.
>
> For what is worth, both MIT and Heimdal support using the _kerberos TXT
> record to associate a DNS domain to a REALM and both clients check it if
> enabled in krb5.conf
>
> Also we use disjoint namespaces in FreeIPA, so allow client from
> multiple DNS domains to be joined to one FreeIPA server. In order to do
> that some configuration need to be distributed to the client
> (domain_realm mappings), although MIT is working on making it easier to
> let the KDC do the mappings and have clients ask the KDC.
>
> We communicate the DNS namespaces we control to Trusted Windows AD
> realms too, so Windows clients can also find the right KDC.
>
> Some care needs to be taken, but it is doable.
Thanks Simo,
Great to know there is some hope here!
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list