From the other response I saw from Jorge de Almeida Pinto (thanks!) I'm thinking that maybe my confusion is stemming from what this really is , a kereberos ticketing issue, not general access. Is that a correct or incorrect assumption? We have users that are in an inordinate number of groups (~213 is the grand prize winner), and sidhistories of various sizes are involved. We have seen this before, and addressed it by limited cleaning of sidhistory. But when we stumbled across these bloated group memberships (and bloated sidhistories), I expected the associated dysfunction to be wide spread. That has not been reported. Also, I cloned the 213 group user and didn't see any access problems in limited and unscientific testing with the copy. . I guess my question should have been "why would this not be a bigger problem?" We have a number of users who are in 70+ groups (and that's not even counting the sidhistory contents for those groups, which varies). The tokenz tool will be useful but I'm sure a bunch of these users are over the limit already. thanks
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Monday, November 14, 2005 10:03 AM
To: [email protected]
Subject: RE: [ActiveDir] Token Bloat
Can you be more specific? Are you asking if the order of the tokens is FIFO related to group additions and if so, is it evaluated up to that point when the token is bloated beyond the maxtokensize?
Is there a reason you would want to know that? I'm thinking that you'd get unpredictable results to make this worthwhile and you'll be better off fixing the issue in the first place. Unless this is for some sort of audit after the fact and you want to prove/disprove when the issue would occur for that sake.
There's a utility (name escapes me at the moment) that lets you evaluate the token size on a command line. You may be able to setup some quick tests and see exactly what happens in this situation. I'll try to remember the name of the utility if somebody else doesn't chime in with it first.
Al
>From: Kitchens Arthur E <[EMAIL PROTECTED]>
>Reply-To: [email protected]
>To: [email protected]
>Subject: [ActiveDir] Token Bloat
>Date: Mon, 14 Nov 2005 07:59:01 -0500
>
> Might anyone know what actually happens in this situation? Do sids
>in the token up to maxtokensize get evalutated ( is sid order within
>the token determined by sequence of group memberships additions , if
>order even matter)? None of them? Something completely different from
>either of these two scenerios? Thanks in advance.
>
> A. E. Kitchens
>phone 904-301-3578
>fax 904-301-3625
>Atonally DO:RE:MI:FA:SO:LA:TI:DO
>Felis demulcta mitis
>
>
>"Reality is that which, when you stop believing in it, doesn't go away".
> -- Philip K. Dick
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
