Some Kerberos implementations like Active Directory ny default include a PAC with authorization data in each ticket. This extra field inflates ticket sizes from a few hundred bytes to several kB. The current code in gss_cli_upcall.c::gss_do_ctx_init_rpc() limits GSSAPI tokens to 976 bytes. It triggers an LASSERT(size >= (sizeof(__u32) + token_size)) if larger tokens are passed down, ie. kerberized Lustre clients usually crash when used in an Active Directory (or similar) environment.

There is a workaround to reconfigure the Lustre service accounts in Active Directory not to include a PAC in tickets. (The PAC is not evaluated by Lustre.) If Lustre should be able to work in Active Directory environments without requiring special settings, it needs to be able to handle larger ticket sizes. At least, it should handle this error gracefully without triggering an LASSERT/LBUG.