Is "Disjoint Namespace" fully functional?
Martinx - ジェームズ
thiagocmartinsc at gmail.com
Mon Sep 1 19:13:27 MDT 2014
It is working again! :-D
But not 100%, sometimes it still fails, here and there...
I realized that it stopped working because, for "safety", I deployed a
Windows 2008 R2 as a Secondary DC, and then, from now on, this new Windows
Domain Controller is "joining" itself as a Primary Server (DNS), visible
under "Start of Authority (SOA)" tab (DNS Manager), for all Zones! Look:
* Creating a new Zone (using DNS Manager), Samba is "Primary server", as
* But, couple minutes latter, Windows DC becomes the "Primary server" for
This seems to be breaking the "Disjoint Namespaces" functionality.
And since Samba DNS (Bind9 backend) doesn't have an implemented function to
revert this (I can not make "ubuntu-ad-1" back to `Primary Server` using
DNS Manager, I see a Samba error about a function not being implemented),
now, I need to access the Windows DC, to make "ubuntu-ad-1" Primary Server
again, like this:
I think that Windows DC have something related to "DNS Delegation"
activated... I don't know how to disable this.
But, now I can not remove Windows DC from my Samba domain, it doesn't leave
(I'm affected by BUG: https://bugzilla.samba.org/show_bug.cgi?id=10595)...
I tried to remove it using dcpromo but, it doesn't work in the end... :-@
This problem seems to be related to BUG 9831 and possibly with "Disjoint
Namespace (I'm not sure, just a guess)":
msDS-AllowedDNSSuffixes have no effect, it is just being ignored by Samba.
On 27 August 2014 02:55, Davor Vusir <davortvusir at gmail.com> wrote:
> 2014-08-27 0:38 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> > On Tue, 2014-08-26 at 16:24 -0300, Martinx - ジェームズ wrote:
> >> Guys,
> >> During my first month with Samba4 AD DC (4.1.6 from Trusty), I was
> using a
> >> feature called "Disjoint Namespaces" but, now (Samba 4.1.11), it isn't
> >> working anymore.
> >> Doc: http://technet.microsoft.com/en-us/library/cc731929(v=ws.10).aspx
> >> I'm not sure if I did something wrong, or if it is a regression,
> because as
> >> I said, I was using Samba 4.1.6 from Ubuntu Trusty, now I'm using Samba
> >> 4.1.11 (from my own Ubuntu PPA:
> >> https://launchpad.net/~martinx/+archive/ubuntu/ig ).... I'm not sure
> if it
> >> stopped working because of the upgrade, or because my fault (I tried to
> >> more forward zones)... So, I'm asking here if it is really supported
> >> Disjoint Namespace feature) (or not), or if it worked for me at first,
> >> luck"...
> > "by luck" is the best answer I can give. In particular, the assumption
> > in Linux krb5 client libs is that the kerberos realm can be found from
> > the DNS domain, rather than the 'ask my KDC' approach windows uses.
> "ask my KDC"? http://technet.microsoft.com/en-us/library/cc771255.aspx
> says different. Using Kerberos to get authenticated and authorized dns
> updates is one thing, letting clients update dns is another.
> >> Or if there is
> >> something that I can do to fix my "Disjoint Namespaces"...
> > The best suggestion I can suggest is to do a git bisect between when it
> > worked and now, and see if something is clear. It looks like an
> > interesting feature, but it certainly has challenges.
> > Andrew Bartlett
> > --
> > Andrew Bartlett
> > http://samba.org/~abartlet/
> > Authentication Developer, Samba Team http://samba.org
> > Samba Developer, Catalyst IT
More information about the samba-technical