On Fri, 02 Dec 2011, John Dennis wrote: > My guess is we're not likely to be bumping up against the 1 MB per > item threshold (nor would it be smart to anywhere be close to that). > I think I recalled you mentioning that PAC data would max out around > 16 KB. So I don't see the limit as being something we realistically > need to worry about (or at least I hope not :-) According to http://support.microsoft.com/kb/327825: ---------------------------------------------------------------------- TokenSize = 1200 + 40d + 8s This formula uses the following values:
d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain plus the number of groups represented in security ID (SID) history. s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain. 1200: The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length, client name, and other factors. ----------------------------------------------------------------------- The KB article goes on to say that the recommended maximum value is 65535 bytes. It is 'a fixed Kerberos ticket receive buffer that contains the SIDs that represent the groups in which the account is a member'. Thus, in large environments realistic limit is still 64Kb per PAC. -- / Alexander Bokovoy _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel