Re: GSS Auth issue when user member of lots of AD groups

Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> writes:
> On Thu, May 22, 2025 at 9:57 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> I'm wondering though if this isn't just pushing the problem out a
>> little further. Is there a good reason to think 64K is enough?

> Microsoft docs [1] seem to imply that there are still a bunch of
> existing problems if you try to go much higher, though it is possible
> to do so with registry tweaks. Looks like they default to 48k.

> Maybe we should consider making the max incoming ticket size
> configurable, so users that really need a bigger one can deal with the
> DoS risk without it affecting everyone else. (A limit on outgoing
> tickets probably doesn't make too much sense; I imagine you're going
> to use the ticket that GSSAPI hands you, no matter how big it is,
> because it's not as if you have a choice.)

Yeah, but we don't want to change the packet size used after the
initial exchange, because that would create compatibility issues
in cases that aren't failing today. I didn't look at the code
to see if we can easily use a different buffer size during
the authentication exchange. If we can, I'd be inclined to goose
it up to 128K or so. Given Chris' point that should be plenty,
so I don't feel a need to expose a knob.

regards, tom lane