Possible to retrieve names of groups from PAC data?

Volker Lendecke Volker.Lendecke at sernet.de
Tue Jul 8 15:04:24 EDT 2014

On Tue, Jul 08, 2014 at 01:39:27PM -0500, Nico Williams wrote:
> On Tue, Jul 8, 2014 at 1:19 PM, Volker Lendecke
> <Volker.Lendecke at sernet.de> wrote:
> > On Tue, Jul 08, 2014 at 11:08:27AM -0500, Nico Williams wrote:
> >> It's also possible to use LDAP for SID->name lookups.  In any case,
> >> no, the Kerberos stack doesn't provide any SID->name lookups today.
> >
> > That's true, but LSA and CrackNames make it a lot easier in
> > trusted domain scenarios. The DC you're joined to will also
> > resolve names from trusted domain's SIDs, which might be
> > impossible to you due to firewall or other access
> > restrictions.
> The DC will also have better caching.  LSARPC is best for performance,
> but I have successfully used LDAP for this (and in an async manner
> too).  I did it because at the time I didn't have an LSARPC client,
> but did have an LDAP library :)  Fun times.

We've got a proper async LSARPC client in Samba these days :-)


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the krbdev mailing list