-1

So I have a SID of a FSP: S-1-5-21-2127521184-1604012920-1887927527-72713.

Translation worked in powershell but I would like to do the ldap query by myself, like here but have a little trouble with proper SID conversion.

Could you help me with query that give me a corresponding account name based on SID ?

user3529850
  • 1,632
  • 5
  • 32
  • 51

2 Answers2

2

You can bind directly to an object using the SID using LDAP://<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>. Then get the username after that.

In PowerShell, it would look something like:

$account = [adsi]"LDAP://<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>"
$username = $account.Properties["sAMAccountName"]

If the computer you run this from is on a different domain than the account, you may have to specify the domain:

$account = [adsi]"LDAP://domain.com/<SID=S-1-5-21-2127521184-1604012920-1887927527-72713>"
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Actually I am doing that in `java` using `LdapTemplate`, but I got the idea. thanks. – user3529850 Apr 30 '18 at 13:39
  • last question. If I wanted to do that via regular ldap query. Let's say I have a `SID` value in hex format (of user from different domain ). So when I query GC like this `(&(objectCategory=user)(objectSID=/01/05/...))` should I get the user (at least `sAMAccountName` attribute) ? even if he/she is from different domain ? – user3529850 Apr 30 '18 at 21:43
  • Only if the different domain is in the same AD forest as the domain of the server you are querying. But that is probably not the case if you're getting the SID from a foreign security principal. – Gabriel Luci May 01 '18 at 01:18
  • "(...)But that is probably not the case (...)". Is it possible to get `sAMA...` atribute in my situation/scenario (using query) ? or only via binding you mentioned ? because the powershell script I provided in my question worked, so why it worked ? what query is called in there behind the scenes that it worked? (just ignore my question if you're done, I appreciate your help already) – user3529850 May 01 '18 at 11:17
  • That uses [`SecurityIdentifier.Translate()`](https://learn.microsoft.com/en-ca/dotnet/api/system.security.principal.securityidentifier.translate?view=netframework-4.7.1#System_Security_Principal_SecurityIdentifier_Translate_System_Type_). I'm not sure how that works in the background. But I do know that if you are going to use a query to find any account, you need to be connecting to the correct domain or forest. So you need to know the domain its on. – Gabriel Luci May 01 '18 at 12:09
  • To know the domain, it has to be trusted by the domain your computer is on. A while ago, I showed in another question how to find trusted domains and match the SID to the domain. Then you can bind directly using the SID and the domain name: https://stackoverflow.com/a/48829137/1202807 – Gabriel Luci May 01 '18 at 12:13
  • Basically, to get a list of all domains that your domain trusts, you pull all the objects with `objectClass` of "trustedDomain" from the System OU on your domain. That will have the SID of the domain. Every account will start with the SID of the domain, so you can tell which domain the account is on by the SID. – Gabriel Luci May 01 '18 at 12:18
  • I do know the domain. I've been told that users are created in domain `A` and groups in domain `B.A`. And groups are made of users only from the domain `A`. So currently I can be sure that it's always the same domain `A` and it will not change. – user3529850 May 01 '18 at 12:32
  • @user3529850 how does this solve your original question, which avoids PS? – Mike Mar 21 '19 at 23:20
  • @Mike It's the same format for the LDAP path regardless of whether you use PowerShell or anything else that lets you communicate via LDAP. – Gabriel Luci Mar 22 '19 at 03:20
  • @GabrielLuci thank you, I must admit I'm not a PS guru and I was thinking the `[adsi]` might behave a little differently than `ldapsearch`. I've had the unfortunate task of attempting to obtain the "Readable Name" via ldapsearch for FSPs (as provided by the *Active Directory Users and Computers* interface), but that attribute did not seem to be available. As I understand it, you are suggesting to point to the original domain that the FSP is hosted on and query the SID there? – Mike Mar 22 '19 at 13:09
  • @Mike Yes, exactly. The FSP doesn't have any of the account information other than the SID, so you have to go to the actual domain the account is on for any other information. – Gabriel Luci Mar 22 '19 at 13:10
  • @Mike it was quite long time ago, but what would you like to do ? translate `SID` into user account ? 'cause in my case, I got access to domain where users/groups are stored and first I get users from a certain group using `AbstractContextMapper/LdapUtils::newLdapName` and then for each `SID` I do a search in the domain using `LdapTemplate.search()` with query `(...) where(objectSID).is(sidNumber)` mapping with own `org.springframework.ldap.core.AttributesMapper`. No count query as "LDAP protocol does not provide support for counting" – user3529850 Mar 25 '19 at 12:36
  • @user3529850 I am just reading :) This is a nice question. I noticed that the Active Directory program displays a readable name for FSPs. Looking at the attributes of those objects using *ldapsearch*, I couldn't find the ReadableName, so I came here and was curious if someone knew more about what the ActiveDirectory program was doing under the hood. To me, this seems to be a limitation of the *ldapsearch*. The first part of the SID should be the domain the FSP is hosted on, so I know I could obtain the sAMAccountName that way, but was interested if there was an easier method. – Mike Mar 25 '19 at 15:52
1

If you have Java available you can query the ObjectSID directly.

We show an Example with code

I am able to use an ldapsearch like:

ldapsearch -h example.net -D "EXAMPLE\myID" -b "OU=Accounts,DC=EXAMPLE,DC=NET" -s sub -a search -z 1000 "(ObjectSID=S-1-5-21-333675845-1535931152-1111140340-22234762)" "objectClass"

And get results.

# extended LDIF
# LDAPv3
# base <OU=Accounts,DC=EXAMPLE,DC=NET> with scope subtree
# filter: (ObjectSID=S-1-5-21-333675845-1535931152-1111140340-22234762)
# requesting: objectClass samAccountName
#
# userid, sales, Accounts, EXAMPLE.NET
dn: CN=userid,OU=sales,OU=Accounts,DC=EXAMPLE,DC=NET
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
sAMAccountName: userid
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

This search is done from a Linux machine and done by a user that is not represented by the ObjectSID.

jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • Actually I'm using `java` - `spring` to be more specific. I see `decodeSID` in url you provided, but what about conversion from plain format `S-z-y-x-a-b-...` to encoded ? – user3529850 Apr 30 '18 at 13:57
  • this would return attributes for FSPs, but not the Readable Name as originally asked – Mike Mar 21 '19 at 23:20