Possible to retrieve names of groups from PAC data?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Possible to retrieve names of groups from PAC data?

drankye
Hi,

Would anyone help confirm that it's possible or not to retrieve the names of groups by inspecting PAC data in service ticket regarding MS-PAC?
I can only get SIDs. Sure I can query the names via LDAP protocol from AD using the SID, but it involves extra effort. If we can't get the names,
then how such SIDs are expected to be used in Windows or non-Windows environments? Thanks.

Regards,
Kai
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Possible to retrieve names of groups from PAC data?

Volker Lendecke
On Tue, Jul 08, 2014 at 09:06:20AM +0000, Zheng, Kai wrote:
> Would anyone help confirm that it's possible or not to retrieve the names of groups by inspecting PAC data in service ticket regarding MS-PAC?
> I can only get SIDs. Sure I can query the names via LDAP protocol from AD using the SID, but it involves extra effort. If we can't get the names,
> then how such SIDs are expected to be used in Windows or non-Windows environments? Thanks.

That might be a question equally well posted to
[hidden email] :-)

You should not use LDAP, but the LsaLookupSids or
DSCrackNames RPC calls an AD provides if you need names.
Samba's winbind provides simple APIs for this.

In the Windows world, SIDs are sufficient for providing
access tokens for local resource access. In Unix world, the
equivalent would be uid's or gid's. Translating SIDs to
those is a world of its own, search the net for "idmapping".

With best regards,

Volker Lendecke

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

RE: Possible to retrieve names of groups from PAC data?

drankye
Thank you Volker, great answer!

Regards,
Kai

-----Original Message-----
From: Volker Lendecke [mailto:[hidden email]]
Sent: Tuesday, July 08, 2014 7:28 PM
To: Zheng, Kai
Cc: [hidden email]
Subject: Re: Possible to retrieve names of groups from PAC data?

On Tue, Jul 08, 2014 at 09:06:20AM +0000, Zheng, Kai wrote:
> Would anyone help confirm that it's possible or not to retrieve the names of groups by inspecting PAC data in service ticket regarding MS-PAC?
> I can only get SIDs. Sure I can query the names via LDAP protocol from
> AD using the SID, but it involves extra effort. If we can't get the names, then how such SIDs are expected to be used in Windows or non-Windows environments? Thanks.

That might be a question equally well posted to [hidden email] :-)

You should not use LDAP, but the LsaLookupSids or DSCrackNames RPC calls an AD provides if you need names.
Samba's winbind provides simple APIs for this.

In the Windows world, SIDs are sufficient for providing access tokens for local resource access. In Unix world, the equivalent would be uid's or gid's. Translating SIDs to those is a world of its own, search the net for "idmapping".

With best regards,

Volker Lendecke

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:[hidden email]

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Possible to retrieve names of groups from PAC data?

Nico Williams
In reply to this post by Volker Lendecke
It's also possible to use LDAP for SID->name lookups.  In any case,
no, the Kerberos stack doesn't provide any SID->name lookups today.

Nico
--
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Possible to retrieve names of groups from PAC data?

Volker Lendecke
On Tue, Jul 08, 2014 at 11:08:27AM -0500, Nico Williams wrote:
> It's also possible to use LDAP for SID->name lookups.  In any case,
> no, the Kerberos stack doesn't provide any SID->name lookups today.

That's true, but LSA and CrackNames make it a lot easier in
trusted domain scenarios. The DC you're joined to will also
resolve names from trusted domain's SIDs, which might be
impossible to you due to firewall or other access
restrictions.

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Possible to retrieve names of groups from PAC data?

Nico Williams
On Tue, Jul 8, 2014 at 1:19 PM, Volker Lendecke
<[hidden email]> wrote:
> On Tue, Jul 08, 2014 at 11:08:27AM -0500, Nico Williams wrote:
>> It's also possible to use LDAP for SID->name lookups.  In any case,
>> no, the Kerberos stack doesn't provide any SID->name lookups today.
>
> That's true, but LSA and CrackNames make it a lot easier in
> trusted domain scenarios. The DC you're joined to will also
> resolve names from trusted domain's SIDs, which might be
> impossible to you due to firewall or other access
> restrictions.

The DC will also have better caching.  LSARPC is best for performance,
but I have successfully used LDAP for this (and in an async manner
too).  I did it because at the time I didn't have an LSARPC client,
but did have an LDAP library :)  Fun times.

Nico
--
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Possible to retrieve names of groups from PAC data?

Volker Lendecke
On Tue, Jul 08, 2014 at 01:39:27PM -0500, Nico Williams wrote:

> On Tue, Jul 8, 2014 at 1:19 PM, Volker Lendecke
> <[hidden email]> wrote:
> > On Tue, Jul 08, 2014 at 11:08:27AM -0500, Nico Williams wrote:
> >> It's also possible to use LDAP for SID->name lookups.  In any case,
> >> no, the Kerberos stack doesn't provide any SID->name lookups today.
> >
> > That's true, but LSA and CrackNames make it a lot easier in
> > trusted domain scenarios. The DC you're joined to will also
> > resolve names from trusted domain's SIDs, which might be
> > impossible to you due to firewall or other access
> > restrictions.
>
> The DC will also have better caching.  LSARPC is best for performance,
> but I have successfully used LDAP for this (and in an async manner
> too).  I did it because at the time I didn't have an LSARPC client,
> but did have an LDAP library :)  Fun times.

We've got a proper async LSARPC client in Samba these days :-)

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev