Possible to retrieve names of groups from PAC data?

Nico Williams nico at cryptonector.com
Tue Jul 8 14:39:27 EDT 2014

On Tue, Jul 8, 2014 at 1:19 PM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> On Tue, Jul 08, 2014 at 11:08:27AM -0500, Nico Williams wrote:
>> It's also possible to use LDAP for SID->name lookups.  In any case,
>> no, the Kerberos stack doesn't provide any SID->name lookups today.
> That's true, but LSA and CrackNames make it a lot easier in
> trusted domain scenarios. The DC you're joined to will also
> resolve names from trusted domain's SIDs, which might be
> impossible to you due to firewall or other access
> restrictions.

The DC will also have better caching.  LSARPC is best for performance,
but I have successfully used LDAP for this (and in an async manner
too).  I did it because at the time I didn't have an LSARPC client,
but did have an LDAP library :)  Fun times.


More information about the krbdev mailing list