Re: GSS Auth issue when user member of lots of AD groups

[ pgsql-committers is completely inappropriate, redirecting to -bugs ]

Chris Gooch <cgooch@bamfunds.com> writes:
> GSS authentication is working for users with small number of AD
> groups but getting below error when a user has larger number of
> groups. I believe it might to token size related, but they don't
> have issues when authenticating with Kerberos/GSS to other
> applications, only with Postgres.

> failed: GSSAPI context establishment error: The routine must be called again to complete its function: Unknown error

Hmm.  That must be coming from this bit in libpq:

    /* Must have output.length > 0 */
    if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))
    {
        pg_GSS_error(libpq_gettext("GSSAPI context establishment error"),
                     conn, major, minor);
        gss_release_buffer(&minor, &output);
        return PGRES_POLLING_FAILED;
    }

which makes it look like gss_init_sec_context wants us to send a
packet larger than PQ_GSS_SEND_BUFFER_SIZE, which perhaps is a
plausible thing to happen if the user belongs to enough groups.

Unfortunately, elsewhere in the same file:

 * NOTE: The client and server have to agree on the max packet size,
 * because we have to pass an entire packet to GSSAPI at a time and we
 * don't want the other side to send arbitrarily huge packets as we
 * would have to allocate memory for them to then pass them to GSSAPI.
 *
 * Therefore, these two #define's are effectively part of the protocol
 * spec and can't ever be changed.
 */
#define PQ_GSS_SEND_BUFFER_SIZE 16384
#define PQ_GSS_RECV_BUFFER_SIZE 16384

Not sure where to go from here.  Unfortunately the person who
was mostly responsible for this code has left the project...

            regards, tom lane