Hi Jacob,
In that scenario the client did not get any GSSAPI specific errors and drops to prompt for password. The server however
hadthis in the logs "oversize GSSAPI packet sent by the client (20131 > 16384)"
Thanks,
Chris
-----Original Message-----
From: Jacob Champion <jacob.champion@enterprisedb.com>
Sent: Friday, May 30, 2025 12:17 AM
To: Tom Lane <tgl@sss.pgh.pa.us>; Chris Gooch <cgooch@bamfunds.com>
Cc: pgsql-bugs@lists.postgresql.org
Subject: Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups
On Thu, May 29, 2025 at 11:41 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Jacob Champion <jacob.champion@enterprisedb.com> writes:
> > I plan to get a full test+review back to you by end-of-day. (I don't
> > see anything obviously scary yet, so if I miss my self-imposed
> > deadline, no need to wait for me.)
>
> Sure, no rush. I just thought I'd get this off my queue if you were
> done looking.
Okay, on closer review this LGTM.
I was trying to get src/test/kerberos to shove a bunch of authorization data into its tickets, but I haven't figured
outhow to get krb5kdc to do that yet, so Chris's tests are the best we have at the moment. Eventually I'll get around
toreading the ASN.1 so that pg-pytest can test this case, but that's not a job for today. Chris, I'm curious: what's
thefailure look like for the "1. Patched Client to Unpatched Server" case when the ticket is bigger than 16k?
Thanks!
--Jacob
This email and any attachments should not be construed as an offer or recommendation to sell or buy or a solicitation
ofan offer to sell or buy any specific security, fund or instrument or to participate in any particular investment
strategy.The information contained herein is given as of a certain date and does not purport to give information as of
anyother date. Although the information presented herein has been obtained from sources we believe to be reliable, no
representationor warranty, expressed or implied, is made as to the accuracy or completeness of that information. Past
performanceis not indicative of future results.
CONFIDENTIALITY NOTICE: This message and any attachment are confidential. If you are not the intended recipient, please
telephoneor email the sender and delete this message and any attachment from your system. If you are not the intended
recipientyou must not copy this message or attachment or disclose the contents to any other persons.
Balyasny Asset Management (UK) LLP is authorised and regulated by the Financial Conduct Authority in the UK. Balyasny
AssetManagement LP is registered as an Investment Advisor with the Securities and Exchange Commission in the USA.
BAM prohibits all personnel from having any business related communications over text message or other unapproved
communicationapplications. Unless pre-approved, BAM employees are only permitted to communicate over email, Bloomberg
andBAM telephone lines.
