[Samba] name resolve order parameter for security=ads

[Jonathan Neuhauser]

Dear Rowland,

thanks for your feedback! I don't have permissions to manage trusts on 
the example.org domain (for an incoming trust, it looks like one needs 
to be a member of Incoming Forest Trust Builders), so at least from a 
cursory search, what you're suggesting might not possible for me.

>> # Generated by resolvconf
>> domain subdomain.example.org
>> <here, the DNS resolvers of my domain are listed, which are set by
>> DHCP>
> Yes, but are they in the 'subdomain.example.org' dns domain or in the
> 'example.org' dns domain ?

The DNS resolvers are the central ones of the domain ('example.org').

> Yes, but your realm should be 'SUBDOMAIN.EXAMPLE.ORG'
>
> Rowland

"subdomain.example.org" is only a DNS domain at the moment. My 
organisation uses this to avoid name collisions between different 
working groups who manage their IT more or less independently, however 
there is only once central DNS service for the domain, and only one AD 
domain. We have several hundreds of these DNS subdomains, surely the 
solution can't be to create and manage an extra DC for each working 
group that wants to use samba?

May I ask what would be the consequences of not creating an additional 
domain, i.e. what could break? Without the "name resolve order" 
parameter, almost everything works fine: kinit, wbinfo -i username, 
local login, PAM / NSS integration, permissions, domain groups, SSO from 
Windows to access the shares hosted by this host, even SSO for websites 
hosted by this host...

The only issue I have with my production config, really, is that login 
with a domain account doesn't work after the machine was resumed from 
hibernation (but nothing is logged at all). Since login normally works, 
I doubt this has something to do with the disjoint namespace situation 
that I unfortunately have, and I might create a separate thread for that 
at some point.

Thanks in advance,

Jonathan