Ping a Specific Port

Question

Appleoddity

Asked: 2024-03-13 23:27:45 +0800 CST2024-03-13 23:27:45 +0800 CST 2024-03-13 23:27:45 +0800 CST

Why doesn't purging kerberos tickets work on a domain controller?

772

To get a computer to update its group memberships without rebooting the computer, you can purge kerberos tickets with the command klist -li 0x3e7 purge. A subsequent gpupdate or gpresult will reflect the new group memberships.

However, this does not seem to work on a domain controller. Why?

The tickets are purged successfully, but a subsequent gpresult /r does not reflect the changes.

1 Answers

Voted

u1686_grawity · Answer 1 · 2024-03-20T20:01:41+08:00

Best Answer

u1686_grawity

2024-03-20T20:01:41+08:002024-03-20T20:01:41+08:00

A domain controller would fetch GPO directly from itself, over loopback SMB, and loopback SMB doesn't use Kerberos – it generally uses NTLM.

NTLM in msv_sspi has special handling for loopback connections; it appears that instead of doing challenge/response and then querying the directory for user details, the server process directly peeks at the security token of the client process. So the effective groups can only be updated by restarting the relevant process, which most likely means a reboot.

1

Why doesn't purging kerberos tickets work on a domain controller?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?