Re: GSS Auth issue when user member of lots of AD groups

Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> writes:
> On Thu, May 22, 2025 at 8:46 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Hmm. That must be coming from this bit in libpq:
>> ...
>> which makes it look like gss_init_sec_context wants us to send a
>> packet larger than PQ_GSS_SEND_BUFFER_SIZE, which perhaps is a
>> plausible thing to happen if the user belongs to enough groups.

> Yeah, it seems like we need to be able to handle up to
> PG_MAX_AUTH_TOKEN_LENGTH (64k) for that initial ticket, at least?

Hmm, unfortunate that that was chosen independent of the GSS limits.

> But also, the current behavior is just to fail hard, so if the client
> tries to do something extra that also sometimes fails hard, it may not
> really be a regression...

Yeah, that's a good point. If we simply allowed the initial packet
to be bigger, that would extend the set of cases that work, and if the
recipient complains (because it predates that change) then it's a case
that would have failed anyway, so we've not made anybody's life worse.

I'm wondering though if this isn't just pushing the problem out a
little further. Is there a good reason to think 64K is enough?

regards, tom lane