Re: GSS Auth issue when user member of lots of AD groups

On Thu, May 22, 2025 at 9:57 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> I'm wondering though if this isn't just pushing the problem out a
> little further.  Is there a good reason to think 64K is enough?

Microsoft docs [1] seem to imply that there are still a bunch of
existing problems if you try to go much higher, though it is possible
to do so with registry tweaks. Looks like they default to 48k.

Maybe we should consider making the max incoming ticket size
configurable, so users that really need a bigger one can deal with the
DoS risk without it affecting everyone else. (A limit on outgoing
tickets probably doesn't make too much sense; I imagine you're going
to use the ticket that GSSAPI hands you, no matter how big it is,
because it's not as if you have a choice.)

--Jacob

[1]
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups#known-issues-that-affect-maxtokensize