Is "Disjoint Namespace" fully functional?

Mon Sep 1 19:13:27 MDT 2014

Hey guys!

It is working again!      :-D

But not 100%, sometimes it still fails, here and there...

I realized that it stopped working because, for "safety", I deployed a
Windows 2008 R2 as a Secondary DC, and then, from now on, this new Windows
Domain Controller is "joining" itself as a Primary Server (DNS), visible
under "Start of Authority (SOA)" tab (DNS Manager), for all Zones! Look:

--

* Creating a new Zone (using DNS Manager), Samba is "Primary server", as
expected:

http://i.imgur.com/pbBSwVm.png

* But, couple minutes latter, Windows DC becomes the "Primary server" for
that domain:

http://i.imgur.com/EEDl13Q.png

This seems to be breaking the "Disjoint Namespaces" functionality.

--

And since Samba DNS (Bind9 backend) doesn't have an implemented function to
revert this (I can not make "ubuntu-ad-1" back to `Primary Server` using
DNS Manager, I see a Samba error about a function not being implemented),
now, I need to access the Windows DC, to make "ubuntu-ad-1" Primary Server
again, like this:

http://i.imgur.com/FOKYUoq.png

--
I think that Windows DC have something related to "DNS Delegation"
activated... I don't know how to disable this.

But, now I can not remove Windows DC from my Samba domain, it doesn't leave
(I'm affected by BUG: https://bugzilla.samba.org/show_bug.cgi?id=10595)...
I tried to remove it using dcpromo but, it doesn't work in the end...   :-@

--

NOTES:

This problem seems to be related to BUG 9831 and possibly with "Disjoint
Namespace (I'm not sure, just a guess)":
https://lists.samba.org/archive/samba-technical/2014-August/101874.html

https://bugzilla.samba.org/show_bug.cgi?id=9831

msDS-AllowedDNSSuffixes have no effect, it is just being ignored by Samba.
--

Cheers!
Thiago

On 27 August 2014 02:55, Davor Vusir <davortvusir at gmail.com> wrote:

> 2014-08-27 0:38 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> > On Tue, 2014-08-26 at 16:24 -0300, Martinx - ジェームズ wrote:
> >> Guys,
> >>
> >> During my first month with Samba4 AD DC (4.1.6 from Trusty), I was
> using a
> >> feature called "Disjoint Namespaces" but, now (Samba 4.1.11), it isn't
> >> working anymore.
> >>
> >> Doc: http://technet.microsoft.com/en-us/library/cc731929(v=ws.10).aspx
> >>
> >> I'm not sure if I did something wrong, or if it is a regression,
> because as
> >> I said, I was using Samba 4.1.6 from Ubuntu Trusty, now I'm using Samba
> >> 4.1.11 (from my own Ubuntu PPA:
> >> https://launchpad.net/~martinx/+archive/ubuntu/ig ).... I'm not sure
> if it
> >> stopped working because of the upgrade, or because my fault (I tried to
> add
> >> more forward zones)... So, I'm asking here if it is really supported
> (the
> >> Disjoint Namespace feature) (or not), or if it worked for me at first,
> "by
> >> luck"...
> >
> > "by luck" is the best answer I can give.  In particular, the assumption
> > in Linux krb5 client libs is that the kerberos realm can be found from
> > the DNS domain, rather than the 'ask my KDC' approach windows uses.
> >
> "ask my KDC"? http://technet.microsoft.com/en-us/library/cc771255.aspx
> says different. Using Kerberos to get authenticated and authorized dns
> updates is one thing, letting clients update dns is another.
>
> Regards
> Davor
>
> >> Or if there is
> >> something that I can do to fix my "Disjoint Namespaces"...
> >
> > The best suggestion I can suggest is to do a git bisect between when it
> > worked and now, and see if something is clear.  It looks like an
> > interesting feature, but it certainly has challenges.
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett
> > http://samba.org/~abartlet/
> > Authentication Developer, Samba Team  http://samba.org
> > Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
> >
> >
> >
> >
>