Possible to retrieve names of groups from PAC data?

Volker Lendecke Volker.Lendecke at sernet.de
Tue Jul 8 07:27:55 EDT 2014

On Tue, Jul 08, 2014 at 09:06:20AM +0000, Zheng, Kai wrote:
> Would anyone help confirm that it's possible or not to retrieve the names of groups by inspecting PAC data in service ticket regarding MS-PAC?
> I can only get SIDs. Sure I can query the names via LDAP protocol from AD using the SID, but it involves extra effort. If we can't get the names,
> then how such SIDs are expected to be used in Windows or non-Windows environments? Thanks.

That might be a question equally well posted to
samba-technical at samba.org :-)

You should not use LDAP, but the LsaLookupSids or
DSCrackNames RPC calls an AD provides if you need names.
Samba's winbind provides simple APIs for this.

In the Windows world, SIDs are sufficient for providing
access tokens for local resource access. In Unix world, the
equivalent would be uid's or gid's. Translating SIDs to
those is a world of its own, search the net for "idmapping".

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the krbdev mailing list