[Freeipa-devel] Session design document
Alexander Bokovoy
abokovoy at redhat.com
Sat Dec 3 15:55:31 UTC 2011
On Fri, 02 Dec 2011, John Dennis wrote:
> My guess is we're not likely to be bumping up against the 1 MB per
> item threshold (nor would it be smart to anywhere be close to that).
> I think I recalled you mentioning that PAC data would max out around
> 16 KB. So I don't see the limit as being something we realistically
> need to worry about (or at least I hope not :-)
According to http://support.microsoft.com/kb/327825:
----------------------------------------------------------------------
TokenSize = 1200 + 40d + 8s
This formula uses the following values:
d: The number of domain local groups a user is a member of plus
the number of universal groups outside the user's account domain plus
the number of groups represented in security ID (SID) history.
s: The number of security global groups that a user is a member of
plus the number of universal groups in a user's account domain.
1200: The estimated value for ticket overhead. This value can vary
depending on factors such as DNS domain name length, client name, and
other factors.
-----------------------------------------------------------------------
The KB article goes on to say that the recommended maximum value is
65535 bytes. It is 'a fixed Kerberos ticket receive buffer that
contains the SIDs that represent the groups in which the account is a
member'.
Thus, in large environments realistic limit is still 64Kb per PAC.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list