On 25.04.2024 23:25, Sam Hartman wrote:
How are you actually triggering the GSS-API authentication? ldapsearch in all cases? And you are confident that libkrb5 is triggering the reverse lookup not your application? (I realize that you may be using the same application on Debian and RH, but there could be differences in the application code).
It's ldapsearch in all cases with libsasl2-modules-gssapi-mit:amd64 2.1.28+dfsg-10 on Debian and cyrus-sasl-gssapi-2.1.27-6.el8_5.x86_64 on the RHEL machine.
However that ldapsearch is just the way we found most convenient to test it quickly. The actual trigger in real-life was a failing AD join with adcli
I can't 100% confidently say the reverse lookup is actually made by libkrb5 itself. It very well may from somewhere else, it's just the only pointer I got from looking at the behaviour.
We actually found out the customer has some other AD DCs which do NOT have that second PTR record to emea.example.com. If we explicitely use one of those everything is working as expected. Also same effect if we just force-override the DC hostname in /etc/hosts. That at least kinda confirmed to me it is probably reverse DNS related.
Cheers Lukas
OpenPGP_signature.asc
Description: OpenPGP digital signature
