Re: GSS Auth issue when user member of lots of AD groups
| От | Tom Lane |
|---|---|
| Тема | Re: GSS Auth issue when user member of lots of AD groups |
| Дата | |
| Msg-id | 1647590.1747936713@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: GSS Auth issue when user member of lots of AD groups (Jacob Champion <jacob.champion@enterprisedb.com>) |
| Ответы |
Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups
|
| Список | pgsql-bugs |
Jacob Champion <jacob.champion@enterprisedb.com> writes:
> On Thu, May 22, 2025 at 9:57 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I'm wondering though if this isn't just pushing the problem out a
>> little further. Is there a good reason to think 64K is enough?
> Microsoft docs [1] seem to imply that there are still a bunch of
> existing problems if you try to go much higher, though it is possible
> to do so with registry tweaks. Looks like they default to 48k.
> Maybe we should consider making the max incoming ticket size
> configurable, so users that really need a bigger one can deal with the
> DoS risk without it affecting everyone else. (A limit on outgoing
> tickets probably doesn't make too much sense; I imagine you're going
> to use the ticket that GSSAPI hands you, no matter how big it is,
> because it's not as if you have a choice.)
Yeah, but we don't want to change the packet size used after the
initial exchange, because that would create compatibility issues
in cases that aren't failing today. I didn't look at the code
to see if we can easily use a different buffer size during
the authentication exchange. If we can, I'd be inclined to goose
it up to 128K or so. Given Chris' point that should be plenty,
so I don't feel a need to expose a knob.
regards, tom lane
В списке pgsql-bugs по дате отправления: