Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Chris Gooch <cgooch@bamfunds.com>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>,
"pgsql-bugs@lists.postgresql.org" <pgsql-bugs@lists.postgresql.org>
Date: 2025-05-30T16:59:58Z
Lists: pgsql-bugs
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Allow larger packets during GSSAPI authentication exchange.
- d98cefe1143e 18.0 landed
- ca70ee6ede1b 16.10 landed
- c81cdffa1f05 13.22 landed
- a7da7914c355 14.19 landed
- 8b0aa7a6b723 17.6 landed
- 39b1d190714a 15.14 landed
Chris Gooch <cgooch@bamfunds.com> writes: > In that scenario the client did not get any GSSAPI specific errors and drops to prompt for password. The server however had this in the logs "oversize GSSAPI packet sent by the client (20131 > 16384)" Yeah, that's expected. By default, a GSSAPI-enabled libpq will try to open a GSSAPI connection first, but silently fall back to not-GSSAPI if the server rejects it --- there's not any close inquiry into why the server rejected it. Jacob Champion <jacob.champion@enterprisedb.com> writes: > Okay, on closer review this LGTM. Pushed, thanks for reviewing. > I was trying to get src/test/kerberos to shove a bunch of > authorization data into its tickets, but I haven't figured out how > to get krb5kdc to do that yet, so Chris's tests are the best we have > at the moment. Eventually I'll get around to reading the ASN.1 so > that pg-pytest can test this case, but that's not a job for today. Sounds reasonable. I think Chris' testing is good enough for now. The one thing I was slightly concerned about was whether any data could remain in the buffers at the instant we downsize them, but that seems improbable (and it wouldn't depend on the ticket size anyway, I should think). regards, tom lane