On Mon, 11 Sep 2023 08:11:00 +1200
Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2023-09-08 at 07:12 +0100, Rowland Penny via samba wrote:
> > I think you may be missing my point. The OP runs kinit to get a
> > ticket
> >
> > for Administrator:
> >
> >
> >
> > [
> > user at dc.aaa.bbb
> > ~]$ kinit administrator
> >
> >
> >
> > Presumably the 'dc' in dc.aaa.bbb' means they are doing
this on a
> > Samba
> >
> > AD DC
> >
> >
> >
> > The ticket is created here:
> >
> >
> >
> > Ticket cache: FILE:/tmp/krb5cc_500
> >
> >
> >
> > Now, as this a DC, I would not expect to see 500, but a number in
> > the
> >
> > '3000000' range, unless the OP has given their user a
uidNumber, in
> >
> > which case, why use '500' ? A number that just happens to be
> >
> > Administrators RID.
>
> The 500 is the local unix id of the kinit process, nothing to do with
> AD. It is named to avoid clashes. If MIT Kerberos was being built
> today, it would have been a totally random string and would not be in
> /tmp, but that is what was done at the time this software was built.
>
> Andrew Bartlett
>
>
Please do not get upset about this Andrew, but I think you are talking
a lot of rubbish about the '500'. Yes, it probably would be done
differently now, but that isn't what we are talking about, we are
talking about, why would any user on a DC have the Unix ID '500'.
If I (the user rowland) run 'kinit Administrator' on a DC with
'idmap_ldb:use rfc2307 = yes' turned off, I get a kerberos ticket
'/tmp/krb5cc_3000020' (note the Unix ID '3000020'). The only way
that a
user can get the Unix ID '500' on a DC, is if 'idmap_ldb:use rfc2307
yes' is set in smb.conf and the user has the uidNumber attribute set to
500, which as I already said is also the RID for Administrator.
Why would anyone give a normal user the ID '500' ?
Rowland