-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Major - P3
-
Affects Version/s: 1.13.0
-
Labels:None
-
Environment:Linux client authenticating to Active Directory with GSSAPI (kerberos) authmech
-
(copied to CRM)
Symptoms:
Driver exception message "SASL Failure: (-3): overflowed buffer: generic server error" manifest when the kerberos ticket size exceeds the driver's predefined SASL 4K buffer.
This is confirmed also via a stack trace of the driver:
I0109 12:28:52.877523 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_start():317 Created new sasl client successfully I0109 12:28:52.877530 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_is_failure():238 Got status: 0 ok is 0, continue=1 interact=2 I0109 12:28:52.880652 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_start():329 Started the sasl client successfully I0109 12:28:52.880681 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_is_failure():238 Got status: 1 ok is 0, continue=1 interact=2 I0109 12:28:52.880690 24645 xxx.cpp:606] mongocxx::CYRUS-SASL:TRACE: _mongoc_cyrus_is_failure():238 Got status: -3 ok is 0, continue=1 interact=2
Preliminary tests of increasing the buffer size appear to resolve the issue, though it is not clear if doing this has any knock on effects. Also to note when calculating the buffer size, the SASL payload is base64 encoded (thereby contributing to buffer bloat), and the Windows MaxTokenSize is 48K, should you wish to consider interoperability with Active Directory.
- related to
-
-
- Closed
-