https://community.netapp.com/t5/ONTAP-Discussions/Max-token-size-Kerberos/m-p/59793#M14025 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>We've got a customer who complains one of his users can't reach a series of vFilers anymore.</P><P>After searching for a possible cause, we stripped all memberships of Active Directory groups, for a particular server.</P><P>We added him to 1 Ad group. In this situation it is possible to reach the vfilers.</P><P></P><P>We suspect that the Kerberos Token Size of this particular user is rather big due to extensive group nesting.</P><P></P><P>Is there a command I can issue to see the max token size setting for vFiler?</P><P>I read in <BR /><A href="https://kb.netapp.com/support/index?page=content&amp;id=3012217" target="_blank">NetApp Knowledgebase - What is maximum Kerberos token size that Data ONTAP 7G can process?</A><BR />that max token size is 12K but can be set to max 64K, the problem is I can't find where to set this.</P><P></P><P>Mentioned filers are still running on OnTap 7 versions so we are in the process of starting an upgrade project, but that will take a while.</P></BODY></HTML> Thu, 05 Jun 2025 06:10:04 GMT PJRINZEMA 2025-06-05T06:10:04Z https://community.netapp.com/t5/ONTAP-Discussions/Max-token-size-Kerberos/m-p/59793#M14025 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>We've got a customer who complains one of his users can't reach a series of vFilers anymore.</P><P>After searching for a possible cause, we stripped all memberships of Active Directory groups, for a particular server.</P><P>We added him to 1 Ad group. In this situation it is possible to reach the vfilers.</P><P></P><P>We suspect that the Kerberos Token Size of this particular user is rather big due to extensive group nesting.</P><P></P><P>Is there a command I can issue to see the max token size setting for vFiler?</P><P>I read in <BR /><A href="https://kb.netapp.com/support/index?page=content&amp;id=3012217" target="_blank">NetApp Knowledgebase - What is maximum Kerberos token size that Data ONTAP 7G can process?</A><BR />that max token size is 12K but can be set to max 64K, the problem is I can't find where to set this.</P><P></P><P>Mentioned filers are still running on OnTap 7 versions so we are in the process of starting an upgrade project, but that will take a while.</P></BODY></HTML> Thu, 05 Jun 2025 06:10:04 GMT https://community.netapp.com/t5/ONTAP-Discussions/Max-token-size-Kerberos/m-p/59793#M14025 PJRINZEMA 2025-06-05T06:10:04Z https://community.netapp.com/t5/ONTAP-Discussions/Max-token-size-Kerberos/m-p/59796#M14027 <HTML><HEAD></HEAD><BODY><P>Got a response from IBM support, thought I'd share</P><P></P><P><STRONG><EM style="color: red; font-size: 12.0pt; font-family: 'Times New Roman','serif';">"I'm not aware of any settings which can be done on the filer.<BR /> I assume you refer to the kb-id3012217 for the limits.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <BR /> <A href="https://kb.netapp.com/support/index?page=content&amp;id=3012217" target="_blank">https://kb.netapp.com/support/index?page=content&amp;id=3012217</A>.<BR /> . <BR /> This confirms the filer can handle up to 64K in 7-mode, so any changes&nbsp; <BR /> from default 12k on client needs to be done on client and not on the filer"</EM></STRONG></P><P><STRONG><EM style="color: red; font-size: 12.0pt; font-family: 'Times New Roman','serif';"><BR /></EM></STRONG></P></BODY></HTML> Mon, 18 Feb 2013 12:38:14 GMT https://community.netapp.com/t5/ONTAP-Discussions/Max-token-size-Kerberos/m-p/59796#M14027 PJRINZEMA 2013-02-18T12:38:14Z https://community.netapp.com/t5/ONTAP-Discussions/Max-token-size-Kerberos/m-p/59801#M14031 <HTML><HEAD></HEAD><BODY><P>We are encountering this problem with our ClusterMode NetApp environment.&nbsp; The issue doesn't seem to be limited to tokens that are very big or very small but rather "OF SPECIFIC SIZES".&nbsp;&nbsp; Adding or removing groups can reset the token resolving the issue OR recreating the issue for an individual client.&nbsp; </P><P></P><P><SPAN style="color: #1f497d;"><A href="http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&amp;Display=677927" target="_blank">http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&amp;Display=677927</A></SPAN></P><P></P><P>So far the only way to detect the problem is by the user complaining about lack of connectivity.&nbsp;&nbsp; There are no logs that can be monitored to identify which users are encountering the issue.&nbsp; If fact we had to run a workstation wireshark trace to actually capture the kerberos failure to identify the problem.&nbsp;&nbsp; This is a user specific problem so if follows the user around from machine to machine.&nbsp; No registry or GPO fix can be applied at the AD group level. </P><P></P><P>Considering we have thousands of clients attempting to attach to this NAS,&nbsp; domain membership chainging mulitiple times a day and no way to forever fix the problem this bug is preventing us from moving forward with additional migrations.</P></BODY></HTML> Thu, 25 Apr 2013 15:13:49 GMT https://community.netapp.com/t5/ONTAP-Discussions/Max-token-size-Kerberos/m-p/59801#M14031 EVILUTION 2013-04-25T15:13:49Z