Re: GSS Auth issue when user member of lots of AD groups
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Chris Gooch <cgooch@bamfunds.com>, pgsql-bugs@lists.postgresql.org
Date: 2025-05-22T17:11:53Z
Lists: pgsql-bugs
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Allow larger packets during GSSAPI authentication exchange.
- d98cefe1143e 18.0 landed
- ca70ee6ede1b 16.10 landed
- c81cdffa1f05 13.22 landed
- a7da7914c355 14.19 landed
- 8b0aa7a6b723 17.6 landed
- 39b1d190714a 15.14 landed
On Thu, May 22, 2025 at 9:57 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: > I'm wondering though if this isn't just pushing the problem out a > little further. Is there a good reason to think 64K is enough? Microsoft docs [1] seem to imply that there are still a bunch of existing problems if you try to go much higher, though it is possible to do so with registry tweaks. Looks like they default to 48k. Maybe we should consider making the max incoming ticket size configurable, so users that really need a bigger one can deal with the DoS risk without it affecting everyone else. (A limit on outgoing tickets probably doesn't make too much sense; I imagine you're going to use the ticket that GSSAPI hands you, no matter how big it is, because it's not as if you have a choice.) --Jacob [1] https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups#known-issues-that-affect-maxtokensize