Possible to retrieve names of groups from PAC data?

Zheng, Kai kai.zheng at intel.com
Tue Jul 8 07:42:57 EDT 2014

Thank you Volker, great answer!


-----Original Message-----
From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] 
Sent: Tuesday, July 08, 2014 7:28 PM
To: Zheng, Kai
Cc: krbdev at mit.edu
Subject: Re: Possible to retrieve names of groups from PAC data?

On Tue, Jul 08, 2014 at 09:06:20AM +0000, Zheng, Kai wrote:
> Would anyone help confirm that it's possible or not to retrieve the names of groups by inspecting PAC data in service ticket regarding MS-PAC?
> I can only get SIDs. Sure I can query the names via LDAP protocol from 
> AD using the SID, but it involves extra effort. If we can't get the names, then how such SIDs are expected to be used in Windows or non-Windows environments? Thanks.

That might be a question equally well posted to samba-technical at samba.org :-)

You should not use LDAP, but the LsaLookupSids or DSCrackNames RPC calls an AD provides if you need names.
Samba's winbind provides simple APIs for this.

In the Windows world, SIDs are sufficient for providing access tokens for local resource access. In Unix world, the equivalent would be uid's or gid's. Translating SIDs to those is a world of its own, search the net for "idmapping".

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de

More information about the krbdev mailing list