On Fri, 08 Sep 2023 09:11:20 +1200
Andrew Bartlett <abartlet at samba.org> wrote:
> On Thu, 2023-09-07 at 22:01 +0100, Rowland Penny via samba wrote:
> > On Fri, 08 Sep 2023 08:45:24 +1200
> > Andrew Bartlett via samba <
> > samba at lists.samba.org
> > > wrote:
> >
> > > On Thu, 2023-09-07 at 10:03 +0500, Anton Shevtsov via samba
wrote:
> > > >
> > > >
> > > > ~]$ kinit administrator
> > > >
> > > > Password for
> > > > administrator at AAA.BBB
> > > >
> > > > :
> > > >
> > > > Warning: Your password will expire in 27 days on ?? 05 ???
2023
> > > > 09:44:26
> > > >
> > > > [
> > > > user at dc.aaa.bbb
> > > >
> > > > ~]$ klist
> > > >
> > > > Ticket cache: FILE:/tmp/krb5cc_500
> >
> > Just a question, why does Administrator have a ticket with the ID
> > '500', I would expect /tmp/krb5cc_0
>
> That is just the local unix UID on the client, Anton is connecting as
> user administrator, but is practising good security hygine and not
> running the commands as root (using account user with local id 500)
> to make the connection. This is best practice as root is not
> required as these commands don't use the local DB directly.
>
> Andrew Bartlett
I think you may be missing my point. The OP runs kinit to get a ticket
for Administrator:
[user at dc.aaa.bbb ~]$ ?kinit administrator
Presumably the 'dc' in dc.aaa.bbb' means they are doing this on a
Samba
AD DC
The ticket is created here:
Ticket cache: FILE:/tmp/krb5cc_500
Now, as this a DC, I would not expect to see 500, but a number in the
'3000000' range, unless the OP has given their user a uidNumber, in
which case, why use '500' ? A number that just happens to be
Administrators RID.
Rowland