Re: GSS Auth issue when user member of lots of AD groups

[ pgsql-committers is completely inappropriate, redirecting to -bugs ]

Chris Gooch <cgooch(at)bamfunds(dot)com> writes:
> GSS authentication is working for users with small number of AD
> groups but getting below error when a user has larger number of
> groups. I believe it might to token size related, but they don't
> have issues when authenticating with Kerberos/GSS to other
> applications, only with Postgres.

> failed: GSSAPI context establishment error: The routine must be called again to complete its function: Unknown error

Hmm. That must be coming from this bit in libpq:

/* Must have output.length > 0 */
if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))
{
pg_GSS_error(libpq_gettext("GSSAPI context establishment error"),
conn, major, minor);
gss_release_buffer(&minor, &output);
return PGRES_POLLING_FAILED;
}

which makes it look like gss_init_sec_context wants us to send a
packet larger than PQ_GSS_SEND_BUFFER_SIZE, which perhaps is a
plausible thing to happen if the user belongs to enough groups.

Unfortunately, elsewhere in the same file:

* NOTE: The client and server have to agree on the max packet size,
* because we have to pass an entire packet to GSSAPI at a time and we
* don't want the other side to send arbitrarily huge packets as we
* would have to allocate memory for them to then pass them to GSSAPI.
*
* Therefore, these two #define's are effectively part of the protocol
* spec and can't ever be changed.
*/
#define PQ_GSS_SEND_BUFFER_SIZE 16384
#define PQ_GSS_RECV_BUFFER_SIZE 16384

Not sure where to go from here. Unfortunately the person who
was mostly responsible for this code has left the project...

regards, tom lane