Is "Disjoint Namespace" fully functional?

Martinx - ジェームズ thiagocmartinsc at
Mon Sep 1 19:13:27 MDT 2014

Hey guys!

It is working again!      :-D

But not 100%, sometimes it still fails, here and there...

I realized that it stopped working because, for "safety", I deployed a
Windows 2008 R2 as a Secondary DC, and then, from now on, this new Windows
Domain Controller is "joining" itself as a Primary Server (DNS), visible
under "Start of Authority (SOA)" tab (DNS Manager), for all Zones! Look:


* Creating a new Zone (using DNS Manager), Samba is "Primary server", as

* But, couple minutes latter, Windows DC becomes the "Primary server" for
that domain:

This seems to be breaking the "Disjoint Namespaces" functionality.


And since Samba DNS (Bind9 backend) doesn't have an implemented function to
revert this (I can not make "ubuntu-ad-1" back to `Primary Server` using
DNS Manager, I see a Samba error about a function not being implemented),
now, I need to access the Windows DC, to make "ubuntu-ad-1" Primary Server
again, like this:

I think that Windows DC have something related to "DNS Delegation"
activated... I don't know how to disable this.

But, now I can not remove Windows DC from my Samba domain, it doesn't leave
(I'm affected by BUG:
I tried to remove it using dcpromo but, it doesn't work in the end...   :-@



This problem seems to be related to BUG 9831 and possibly with "Disjoint
Namespace (I'm not sure, just a guess)":

msDS-AllowedDNSSuffixes have no effect, it is just being ignored by Samba.


On 27 August 2014 02:55, Davor Vusir <davortvusir at> wrote:

> 2014-08-27 0:38 GMT+02:00 Andrew Bartlett <abartlet at>:
> > On Tue, 2014-08-26 at 16:24 -0300, Martinx - ジェームズ wrote:
> >> Guys,
> >>
> >> During my first month with Samba4 AD DC (4.1.6 from Trusty), I was
> using a
> >> feature called "Disjoint Namespaces" but, now (Samba 4.1.11), it isn't
> >> working anymore.
> >>
> >> Doc:
> >>
> >> I'm not sure if I did something wrong, or if it is a regression,
> because as
> >> I said, I was using Samba 4.1.6 from Ubuntu Trusty, now I'm using Samba
> >> 4.1.11 (from my own Ubuntu PPA:
> >> ).... I'm not sure
> if it
> >> stopped working because of the upgrade, or because my fault (I tried to
> add
> >> more forward zones)... So, I'm asking here if it is really supported
> (the
> >> Disjoint Namespace feature) (or not), or if it worked for me at first,
> "by
> >> luck"...
> >
> > "by luck" is the best answer I can give.  In particular, the assumption
> > in Linux krb5 client libs is that the kerberos realm can be found from
> > the DNS domain, rather than the 'ask my KDC' approach windows uses.
> >
> "ask my KDC"?
> says different. Using Kerberos to get authenticated and authorized dns
> updates is one thing, letting clients update dns is another.
> Regards
> Davor
> >> Or if there is
> >> something that I can do to fix my "Disjoint Namespaces"...
> >
> > The best suggestion I can suggest is to do a git bisect between when it
> > worked and now, and see if something is clear.  It looks like an
> > interesting feature, but it certainly has challenges.
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett
> >
> > Authentication Developer, Samba Team
> > Samba Developer, Catalyst IT
> >
> >
> >
> >

More information about the samba-technical mailing list