The Samba-Bugzilla – Bug 9837
Administrator on AD DC shouldn't have uid 0
Last modified: 2018-03-12 13:35:21 UTC
the Administrator user on a DC should not have the uid number 0.
if winbind is put in /etc/nsswitch.conf then there are two users with uid number 0: root and DOMAIN\Administrator. Programs will more or less randomly see that root oder user DOMAIN\Administrator is the one with uid 0. The order of files/winbind in nsswitch.conf isn't sufficient to work around this issue. The order which of the two if returned also depends on whether or not nscd is running or not on a Linux system. I trapped into the problem when I wanted to make a ssh login from one DC to another DC and it complained about the ssh config directory of root to be not existing - ssh thought root's ssh diretory would be /home/DOMAIN/Administrator/.ssh - autsch ...
Andrew, I think this double use of uid 0 is really critical. I changed the Administrator uidNumber in all new setups I've done since I saw the above described issues. I really think we should *by default* assign a "free" and unused uidNumber to the Administrator user and not mess with root's account.
I strongly support this.
The admin should get a uid from the id mapping pool just like any other domain user.
I think using uid 0 (or any other existing UID) creates more problems than it solves.
the patch to fix these default idmap values was posted here:
most devs liked the change but it got a NACK from Andrew for now.