Is "Disjoint Namespace" fully functional?

Davor Vusir davortvusir at gmail.com
Mon Sep 1 05:31:46 MDT 2014 

2014-09-01 1:34 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> On Wed, 2014-08-27 at 07:55 +0200, Davor Vusir wrote:
>> 2014-08-27 0:38 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
>> > On Tue, 2014-08-26 at 16:24 -0300, Martinx - ジェームズ wrote:
>> >> Guys,
>> >>
>> >> During my first month with Samba4 AD DC (4.1.6 from Trusty), I was using a
>> >> feature called "Disjoint Namespaces" but, now (Samba 4.1.11), it isn't
>> >> working anymore.
>> >>
>> >> Doc: http://technet.microsoft.com/en-us/library/cc731929(v=ws.10).aspx
>> >>
>> >> I'm not sure if I did something wrong, or if it is a regression, because as
>> >> I said, I was using Samba 4.1.6 from Ubuntu Trusty, now I'm using Samba
>> >> 4.1.11 (from my own Ubuntu PPA:
>> >> https://launchpad.net/~martinx/+archive/ubuntu/ig ).... I'm not sure if it
>> >> stopped working because of the upgrade, or because my fault (I tried to add
>> >> more forward zones)... So, I'm asking here if it is really supported (the
>> >> Disjoint Namespace feature) (or not), or if it worked for me at first, "by
>> >> luck"...
>> >
>> > "by luck" is the best answer I can give.  In particular, the assumption
>> > in Linux krb5 client libs is that the kerberos realm can be found from
>> > the DNS domain, rather than the 'ask my KDC' approach windows uses.
>> >
>> "ask my KDC"? http://technet.microsoft.com/en-us/library/cc771255.aspx
>> says different. Using Kerberos to get authenticated and authorized dns
>> updates is one thing, letting clients update dns is another.
>
> I'm not sure quite what you refer to here, but for the clarity of
> others, this page sums up my concerns:
>

Sorry. I'm assuming that Martin is using one dns domain, example.org,
where the client and perhaps servers belong; client1.example.org,
server1.example.org... He also uses (allows) dynamic updates for that
zone. For the AD DC-realm he uses the dns domain samba.example.org.
When the client- and servercomputers are made domain members of
AD-domain samba.example.org a GPO is being applied which configures
them to use a different primary DNS suffix. Which makes the clients
contact SOA for that dns domain. If the 'client'-domain (example.org)
isn't configured for secure updates, the name server will accept the
update. Regardless of the presence of a KDC. I was assuming that
Martin is using/allowing dynamic updates

> http://technet.microsoft.com/en-us/library/cc731125%28v=ws.10%29.aspx
>
Except for the two supported examples, I don't think any of it is of
any concern for Samba Team.

And Simo Sorce is suggesting that a more complex approach is possible.
And it is.

It is the sysadmins responsibility to get henself  informed about
supported configurations and check applicationcompatability. Not
yours.

> Specifically, linux systems and Samba are quite likely to be systems
> that assume that the primary DNS suffix the the same as the AD domain
> suffix, absent special configuration in the krb5.conf (domain_realm
> mapping) or support for and the addition of magic TXT records (I think
> only Heimdal can do that, and it is off by default anyway).
>
> Expect trouble.
>
Wouldn't the following in krb5.conf suffice:
[domain_realm]
  .subdomain1.example.org = SAMBA.EXAMPLE.ORG
...
  .subdomainN.example.org = SAMBA.EXAMPLE.ORG
  .samba.example.org = SAMBA.EXAMPLE.ORG
  samba.example.org = SAMBA.EXAMPLE.ORG

Regards
Davor

> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
>
>

More information about the samba-technical mailing list