Bug 9837 - Administrator on AD DC shouldn't have uid 0
Administrator on AD DC shouldn't have uid 0
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
All All
: P5 normal
: 4.3
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2013-04-30 08:00 UTC by Björn Jacke
Modified: 2018-03-12 13:35 UTC (History)
6 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2013-04-30 08:00:07 UTC
the Administrator user on a DC should not have the uid number 0.

if winbind is put in /etc/nsswitch.conf then there are two users with uid number 0: root and DOMAIN\Administrator. Programs will more or less randomly see that root oder user DOMAIN\Administrator is the one with uid 0. The order of files/winbind in nsswitch.conf isn't sufficient to work around this issue. The order which of the two if returned also depends on whether or not nscd is running or not on a Linux system. I trapped into the problem when I wanted to make a ssh login from one DC to another DC and it complained about the ssh config directory of root to be not existing - ssh thought root's ssh diretory would be /home/DOMAIN/Administrator/.ssh - autsch ...
Comment 1 Björn Jacke 2014-02-15 22:33:00 UTC
Andrew, I think this double use of uid 0 is really critical. I changed the Administrator uidNumber in all new setups I've done since I saw the above described issues. I really think we should *by default* assign a "free" and unused uidNumber to the Administrator user and not mess with root's account.
Comment 2 Michael Adam 2015-02-19 11:07:15 UTC
I strongly support this.
The admin should get a uid from the id mapping pool just like any other domain user.
I think using uid 0 (or any other existing UID) creates more problems than it solves.
Comment 3 Björn Jacke 2018-03-09 21:59:22 UTC
the patch to fix these default idmap values was posted here:


most devs liked the change but it got a NACK from Andrew for now.