Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Chris Gooch <cgooch@bamfunds.com>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>,
"pgsql-bugs@lists.postgresql.org" <pgsql-bugs@lists.postgresql.org>
Date: 2025-05-24T19:37:05Z
Lists: pgsql-bugs
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Allow larger packets during GSSAPI authentication exchange.
- d98cefe1143e 18.0 landed
- ca70ee6ede1b 16.10 landed
- c81cdffa1f05 13.22 landed
- a7da7914c355 14.19 landed
- 8b0aa7a6b723 17.6 landed
- 39b1d190714a 15.14 landed
I wrote: > I believe we've agreed that it'd be sufficient if we allow the > packets exchanged during the auth phase to be up to 64K or so, > but once we reach the point where we're able to split the > data on arbitrary boundaries, keep the packet size at 16K > for cross-version compatibility. OK, here's a set of draft patches for that. (The HEAD one works on v16 and v17 too, the v15 one works on v14 too. They are all basically the same, but we kept revising libpq's internal convention for error reports ...) I am not in a great position to test these with a setup that actually needs larger auth messages; I wonder if Chris can test? Some notes: * Is 128kB unreasonably large? I think we may want some daylight above 64kB, but I'm not sure how much. * I concluded that the error report that's being given for the case is just flat-out bogus. The GSSAPI library has not given us an error report so asking it for info is useless, which leads to the very unhelpful error message Chris showed. We should just report "client tried to send oversize GSSAPI packet" as we do elsewhere. * It seems pretty silly to have separate symbols for PQ_GSS_SEND_BUFFER_SIZE and PQ_GSS_RECV_BUFFER_SIZE when we're requiring those to be the same, so I merged them into one symbol PQ_GSS_MAX_PACKET_SIZE. * The backend's secure_open_gssapi allowed received initialization packets to be up to buffer-size long, whereas libpq will choke sending them if they're more than buffer-size minus sizeof(uint32). This isn't actually a bug, since the buffer management is handled in such a way that it's safe, but it seems very inconsistent. I changed the limit to subtract off sizeof(uint32) in all cases, which incidentally allowed removing one variant of the translatable message string. regards, tom lane