Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Chris Gooch <cgooch(at)bamfunds(dot)com>
Cc: Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org>
Subject: Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups
Date: 2025-05-30 16:59:58
Message-ID: 2356943.1748624398@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs pgsql-committers

Chris Gooch <cgooch(at)bamfunds(dot)com> writes:
> In that scenario the client did not get any GSSAPI specific errors and drops to prompt for password. The server however had this in the logs "oversize GSSAPI packet sent by the client (20131 > 16384)"

Yeah, that's expected. By default, a GSSAPI-enabled libpq will try to
open a GSSAPI connection first, but silently fall back to not-GSSAPI
if the server rejects it --- there's not any close inquiry into why
the server rejected it.

Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> writes:
> Okay, on closer review this LGTM.

Pushed, thanks for reviewing.

> I was trying to get src/test/kerberos to shove a bunch of
> authorization data into its tickets, but I haven't figured out how
> to get krb5kdc to do that yet, so Chris's tests are the best we have
> at the moment. Eventually I'll get around to reading the ASN.1 so
> that pg-pytest can test this case, but that's not a job for today.

Sounds reasonable. I think Chris' testing is good enough for now.
The one thing I was slightly concerned about was whether any data
could remain in the buffers at the instant we downsize them, but
that seems improbable (and it wouldn't depend on the ticket size
anyway, I should think).

regards, tom lane

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Masahiko Sawada 2025-05-30 17:29:34 Re: Logical replication 'invalid memory alloc request size 1585837200' after upgrading to 17.5
Previous Message Masahiko Sawada 2025-05-30 16:45:34 Re: Logical replication 'invalid memory alloc request size 1585837200' after upgrading to 17.5

Browse pgsql-committers by date

  From Date Subject
Next Message Tom Lane 2025-05-30 17:46:02 pgsql: Fix memory leakage in postgres_fdw's DirectModify code path.
Previous Message Tom Lane 2025-05-30 16:55:29 pgsql: Allow larger packets during GSSAPI authentication exchange.