You're still only about 40 groups away from trouble. I'd say that user is
precarious and that the organization that has that process in place to allow
this sort of thing should consider changing that practice. Sooner vs. later.
Complexity and Security often aren't found together.
I reread the thread to see if I missed something. If I did, it's not
obvious to me, but were there any issues currently in play or was this
pre-emptive in timing?
Al
From: Kitchens Arthur E <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
To: "'ActiveDir@mail.activedir.org'" <ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] Token Bloat
Date: Mon, 14 Nov 2005 15:04:40 -0500
>From the output from tokensz (output below is from the cloned account of
the
213 group user, I'm still working getting the example syntax-es to work for
me like it does for the other kids). So the issue here is not token size in
our enviroment, but my lack of understanding of just what makes token size.
Thanks to all of you all who replied.
Name: Kerberos Comment: Microsoft Kerberos V1.0
Current PackageInfo->MaxToken: 12000
Using user to user
QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4-HMAC
KeySize = 128
Flags = 2083e
Signature Algorithm = -138
Encrypt Algorithm = 23
Start:11/14/2005 9:59:39
Expiry:11/14/2005 19:59:20
Current Time: 11/14/2005 9:59:39
MaxToken (complete context) 10400
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, November 14, 2005 1:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Token Bloat
Hmmm...
Using the formula:
TokenSize = 1200 + 40d + 8s
This formula uses the following values: * d: The number of domain local
groups a user is a member of plus the number of universal groups outside
the
user's account domain plus the number of groups represented in security ID
(SID) history.
* s: The number of security global groups that a user is a member of plus
the number of universal groups in a user's account domain.
* 1200: The estimated value for ticket overhead. This value can vary
depending on factors such as DNS domain name length, client name, and other
factors.
that would look like this:
TokenSize = 1200 + 40(100) + 8(0) based on the below information.
TS = 5200
MaxTokenSize Bytes possible = 12,000
Difference = 12,000 - 5,200 = 6,800 (bytes)
Have you downloaded tokensz yet? What were the results?
-ajm
>From: Kitchens Arthur E <[EMAIL PROTECTED]>
>Reply-To: ActiveDir@mail.activedir.org
>To: "'ActiveDir@mail.activedir.org'" <ActiveDir@mail.activedir.org>
>Subject: RE: [ActiveDir] Token Bloat
>Date: Mon, 14 Nov 2005 12:38:23 -0500
>
>Dc's and functionality level are Windows Server 2003. groups are domain
>global groups for the most part (and those are the points of contention
>as users are accessing resources acl'ed with the old, pre-migration,
>groups via sidhistory(s)).. Not sure about sizes but from sectok etc we
>know there's more than 70-100 sid's in some of these tokens, way more.
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
>Sent: Monday, November 14, 2005 12:30 PM
>To: ActiveDir@mail.activedir.org
>Subject: RE: [ActiveDir] Token Bloat
>
>I guess the best questoin to ask at this point is the type of groups
>the user is a member of. Not all groups take the same amount of room.
>
>Additionally, there were some changes btwn 2000 RTM and 2003 SP1 that
>took place that affected the PAC behavior. It's possible you don't see
>more of this because size is important vs the quantity (you'll not hear
>that very often, I'll wager ;)
>
>One additional question to ask here: what versions of DC are you
>running and at what functional level?
>
>Al
>
>
> >From: Kitchens Arthur E <[EMAIL PROTECTED]>
> >Reply-To: ActiveDir@mail.activedir.org
> >To: "'ActiveDir@mail.activedir.org'" <ActiveDir@mail.activedir.org>
> >Subject: RE: [ActiveDir] Token Bloat
> >Date: Mon, 14 Nov 2005 10:32:19 -0500
> >
> > >From the other response I saw from Jorge de Almeida Pinto
> > >(thanks!) I'm
> >thinking that maybe my confusion is stemming from what this really is
> >, a kereberos ticketing issue, not general access. Is that a correct
> >or incorrect assumption? We have users that are in an inordinate
> >number of groups (~213 is the grand prize winner), and sidhistories
> >of various sizes are involved. We have seen this before, and
> >addressed it by limited cleaning of sidhistory. But when we stumbled
> >across these bloated group memberships (and bloated sidhistories), I
> >expected the associated dysfunction to be wide spread. That has not
been
reported.
> >Also, I cloned the 213 group user and didn't see any access problems
> >in limited and unscientific testing with the copy. . I guess my
> >question should have been "why would this not be a bigger problem?"
> >We have a number of users who are in 70+ groups (and that's not even
> >counting the sidhistory contents for those groups, which varies). The
> >tokenz tool will be useful but I'm sure a bunch of these users are
> >over the limit already. thanks
> >
> >-----Original Message-----
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED]
> ><mailto:[EMAIL PROTECTED]> ] On Behalf Of Al Mulnick
> >Sent: Monday, November 14, 2005 10:03 AM
> >To: ActiveDir@mail.activedir.org
> >Subject: RE: [ActiveDir] Token Bloat
> >
> >Can you be more specific? Are you asking if the order of the tokens
> >is FIFO related to group additions and if so, is it evaluated up to
> >that point when the token is bloated beyond the maxtokensize?
> >
> >Is there a reason you would want to know that? I'm thinking that
> >you'd get unpredictable results to make this worthwhile and you'll be
> >better off fixing the issue in the first place. Unless this is for
> >some sort of audit after the fact and you want to prove/disprove when
> >the issue would occur for that sake.
> >
> >There's a utility (name escapes me at the moment) that lets you
> >evaluate the token size on a command line. You may be able to setup
> >some quick tests and see exactly what happens in this situation.
> >I'll try to remember the name of the utility if somebody else doesn't
> >chime in with it first.
> >
> >
> >Al
> >
> >
> > >From: Kitchens Arthur E <[EMAIL PROTECTED]>
> > >Reply-To: ActiveDir@mail.activedir.org
> > >To: ActiveDir@mail.activedir.org
> > >Subject: [ActiveDir] Token Bloat
> > >Date: Mon, 14 Nov 2005 07:59:01 -0500
> > >
> > > Might anyone know what actually happens in this situation? Do
> > >sids in the token up to maxtokensize get evalutated ( is sid order
> > >within the token determined by sequence of group memberships
> > >additions , if order even matter)? None of them? Something
> > >completely different from either of these two scenerios? Thanks in
advance.
> > >
> > > A. E. Kitchens
> > >phone 904-301-3578
> > >fax 904-301-3625
> > >Atonally DO:RE:MI:FA:SO:LA:TI:DO
> > >Felis demulcta mitis
> > >
> > >
> > >"Reality is that which, when you stop believing in it, doesn't go
>away".
> > > -- Philip K. Dick
> >
> >
> >List info : http://www.activedir.org/List.aspx
> ><http://www.activedir.org/List.aspx>
> >List FAQ : http://www.activedir.org/ListFAQ.aspx
> ><http://www.activedir.org/ListFAQ.aspx>
> >List archive:
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
> ><http://www.mail-archive.com/activedir%40mail.activedir.org/>
>
>
>List info : http://www.activedir.org/List.aspx
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>List archive:
>http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
