On 26.04.2024 10:06, Lukas Grässlin wrote:
On 25.04.2024 23:25, Sam Hartman wrote:How are you actually triggering the GSS-API authentication? ldapsearch in all cases? And you are confident that libkrb5 is triggering the reverse lookup not your application? (I realize that you may be using the same application on Debian and RH, but there could be differences in the application code).It's ldapsearch in all cases with libsasl2-modules-gssapi-mit:amd64 2.1.28+dfsg-10 on Debian and cyrus-sasl-gssapi-2.1.27-6.el8_5.x86_64 on the RHEL machine.However that ldapsearch is just the way we found most convenient to test it quickly. The actual trigger in real-life was a failing AD join with adcli
As a follow-up on this I just found out that Red Hat apparently indeed sets the following in their /etc/openldap/ldap.conf
# Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on (https://bugzilla.redhat.com/show_bug.cgi?id=949864)That's apparently that difference that still makes it fail on Debian/Ubuntu despite having "rdns = false" in Kerberos.
We might have to re-check the original issue with adcli, I guess that should not depend on ldapsearch but it's good to know now how to fix ldapsearch as well as we depend at other places on it as well.
So with these new infos it looks like it's not librb5 that ignores that option after all. I will do some re-checks but I have to thank you for the rubberducking, we were kinda stuck in a debugging tunnelvision there unfortunately.
Cheers Lukas
OpenPGP_signature.asc
Description: OpenPGP digital signature
