Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups

Chris Gooch <cgooch(at)bamfunds(dot)com> writes:
> In that scenario the client did not get any GSSAPI specific errors and drops to prompt for password. The server however had this in the logs "oversize GSSAPI packet sent by the client (20131 > 16384)"

Yeah, that's expected. By default, a GSSAPI-enabled libpq will try to
open a GSSAPI connection first, but silently fall back to not-GSSAPI
if the server rejects it --- there's not any close inquiry into why
the server rejected it.

Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> writes:
> Okay, on closer review this LGTM.

Pushed, thanks for reviewing.

> I was trying to get src/test/kerberos to shove a bunch of
> authorization data into its tickets, but I haven't figured out how
> to get krb5kdc to do that yet, so Chris's tests are the best we have
> at the moment. Eventually I'll get around to reading the ASN.1 so
> that pg-pytest can test this case, but that's not a job for today.

Sounds reasonable. I think Chris' testing is good enough for now.
The one thing I was slightly concerned about was whether any data
could remain in the buffers at the instant we downsize them, but
that seems improbable (and it wouldn't depend on the ticket size
anyway, I should think).

regards, tom lane