Re: GSS Auth issue when user member of lots of AD groups

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Chris Gooch <cgooch@bamfunds.com>, pgsql-bugs@lists.postgresql.org
Date: 2025-05-22T17:11:53Z
Lists: pgsql-bugs

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Allow larger packets during GSSAPI authentication exchange.

On Thu, May 22, 2025 at 9:57 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> I'm wondering though if this isn't just pushing the problem out a
> little further.  Is there a good reason to think 64K is enough?

Microsoft docs [1] seem to imply that there are still a bunch of
existing problems if you try to go much higher, though it is possible
to do so with registry tweaks. Looks like they default to 48k.

Maybe we should consider making the max incoming ticket size
configurable, so users that really need a bigger one can deal with the
DoS risk without it affecting everyone else. (A limit on outgoing
tickets probably doesn't make too much sense; I imagine you're going
to use the ticket that GSSAPI hands you, no matter how big it is,
because it's not as if you have a choice.)

--Jacob

[1] https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups#known-issues-that-affect-maxtokensize