[32669] in Kerberos
Re: UDP and fragmentation
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Wed Sep 15 12:22:05 2010
Date: Wed, 15 Sep 2010 11:20:46 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
Message-ID: <20100915162046.GQ3982@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <i6mul5$1bui$1@relay.tomsk.ru>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Sep 14, 2010 at 04:45:25AM +0000, Victor Sudakov wrote:
> Greg Hudson wrote:
> > > BTW what can make Kerberos packets so big? Microsoft says: "Depending
> > > on a variety of factors including security identifier (SID) history
> > > and group membership, some accounts will have larger Kerberos
> > > authentication packet sizes." What's there inside? Long principal
> > > names? Long keys?
>
> > An Active Directory KDC will include authorization data within a
> > Kerberos ticket which includes the set of groups you are a member of.
> > If that's a lot of groups, then your ticket will be large.
>
> It is very interesting. Where is room in a Kerberos ticket for
> such data?
In the authorization-data field [of EncTicketPart]. See RFC4120.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
