Possible to retrieve names of groups from PAC data?
Volker Lendecke
Volker.Lendecke at sernet.de
Tue Jul 8 07:27:55 EDT 2014
On Tue, Jul 08, 2014 at 09:06:20AM +0000, Zheng, Kai wrote:
> Would anyone help confirm that it's possible or not to retrieve the names of groups by inspecting PAC data in service ticket regarding MS-PAC?
> I can only get SIDs. Sure I can query the names via LDAP protocol from AD using the SID, but it involves extra effort. If we can't get the names,
> then how such SIDs are expected to be used in Windows or non-Windows environments? Thanks.
That might be a question equally well posted to
samba-technical at samba.org :-)
You should not use LDAP, but the LsaLookupSids or
DSCrackNames RPC calls an AD provides if you need names.
Samba's winbind provides simple APIs for this.
In the Windows world, SIDs are sufficient for providing
access tokens for local resource access. In Unix world, the
equivalent would be uid's or gid's. Translating SIDs to
those is a world of its own, search the net for "idmapping".
With best regards,
Volker Lendecke
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the krbdev
mailing list