Possible to retrieve names of groups from PAC data?
Nico Williams
nico at cryptonector.com
Tue Jul 8 14:39:27 EDT 2014
On Tue, Jul 8, 2014 at 1:19 PM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> On Tue, Jul 08, 2014 at 11:08:27AM -0500, Nico Williams wrote:
>> It's also possible to use LDAP for SID->name lookups. In any case,
>> no, the Kerberos stack doesn't provide any SID->name lookups today.
>
> That's true, but LSA and CrackNames make it a lot easier in
> trusted domain scenarios. The DC you're joined to will also
> resolve names from trusted domain's SIDs, which might be
> impossible to you due to firewall or other access
> restrictions.
The DC will also have better caching. LSARPC is best for performance,
but I have successfully used LDAP for this (and in an async manner
too). I did it because at the time I didn't have an LSARPC client,
but did have an LDAP library :) Fun times.
Nico
--
More information about the krbdev
mailing list