On Fri, 02 Dec 2011, John Dennis wrote:
> My guess is we're not likely to be bumping up against the 1 MB per
> item threshold (nor would it be smart to anywhere be close to that).
> I think I recalled you mentioning that PAC data would max out around
> 16 KB. So I don't see the limit as being something we realistically
> need to worry about (or at least I hope not :-)
According to http://support.microsoft.com/kb/327825:
TokenSize = 1200 + 40d + 8s
This formula uses the following values:

    d: The number of domain local groups a user is a member of plus 
the number of universal groups outside the user's account domain plus 
the number of groups represented in security ID (SID) history.

    s: The number of security global groups that a user is a member of 
plus the number of universal groups in a user's account domain.

    1200: The estimated value for ticket overhead. This value can vary 
depending on factors such as DNS domain name length, client name, and 
other factors.

The KB article goes on to say that the recommended maximum value is 
65535 bytes. It is 'a fixed Kerberos ticket receive buffer that 
contains the SIDs that represent the groups in which the account is a 

Thus, in large environments realistic limit is still 64Kb per PAC.
/ Alexander Bokovoy

Freeipa-devel mailing list

Reply via email to