** Description changed: We have a scenario where we need to disable reverse lookups for canonicalization in Kerberos as the customer's PTR records are not consistent and lead to wrongly requested SPNs otherwise (see https://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html#reverse- dns-mismatches) - Therfore we have set "rdns = false" in /etc/krb5.conf as follows: + Therefore we have set "rdns = false" in /etc/krb5.conf as follows: # cat /etc/krb5.conf [libdefaults] udp_preference_limit = 0 default_realm = EMEA.EXAMPLE.COM rdns = false However this setting seems to get ignored for some reason. I tried to do - some debugging and comparison as we don't have the same issue for + some debugging and comparisons as we don't have the same issue for example on a RHEL8 (using krb5-libs-1.18.2-26.el8_9.x86_64) machine. On those RHEL machines the setting seems to do exactly what it's supposed to, in fact I can reproduce the issue we have on Ubuntu on RHEL as well if I remove the "rdns = false" line from the configuration. Kerberos authentication (in our test we use a simple ldapsearch with GSSAPI auth) fails then randomly as it sometimes gets a wrong SPN due to using a wrong PTR for canonicalization. On our Ubuntu 22.04 LTS (with libkrb5-3:amd64 1.19.2-2ubuntu0.3) however - the setting does not seem to have any effect. + the setting does not seem to have any effect. I then re-did the same + test with Debian oldstable, stable and sid as well, all with the exact + same result. - I actually run a tcpdump while trying to do a Kerberos auth with the + I actually ran a tcpdump while trying to do a Kerberos auth with the "rdns = false" setting in place and I can still see the reverse lookup - being performed in the tcpdump (anonymized some things so don't get + being performed in the tcpdump (I anonymized some things so don't get confused about the IPs): 10:47:58.382684 IP 1.2.3.4.55001 > 123.123.123.123.53: 12962+ [1au] A? domaincontroller01.emea.example.com. (55) 10:47:58.382809 IP 1.2.3.4.37669 > 123.123.123.123.53: 38376+ [1au] AAAA? domaincontroller01.emea.example.com. (55) 10:47:58.412041 IP 123.123.123.123.53 > 1.2.3.4.37669: 38376* 0/1/1 (143) - 10:47:58.412564 IP 123.123.123.123.53 > 1.2.3.4.55001: 12962* 1/9/10 A 10.145.214.16 (602) - 10:47:58.442326 IP 1.2.3.4.51232 > 123.123.123.123.53: 16995+ [1au] PTR? 16.214.145.10.in-addr.arpa. (55) + 10:47:58.412564 IP 123.123.123.123.53 > 1.2.3.4.55001: 12962* 1/9/10 A 5.6.7.8 (602) + 10:47:58.442326 IP 1.2.3.4.51232 > 123.123.123.123.53: 16995+ [1au] PTR? 8.7.6.5.in-addr.arpa. (55) 10:47:58.471669 IP 123.123.123.123.53 > 1.2.3.4.51232: 16995 2/2/3 PTR emea.example.com., PTR DOMAINCONTROLLER.emea.example.com. (238) As you see there it does the PTR lookup and retrieves two entries (emea.example.com and DOMAINCONTROLLER.emea.example.com) If I do the same test on the RHEL8 machine I can actually see in tcpdump that with the "rdns = false" setting the reverse lookup is correctly NOT performed. I am a bit puzzled why this is the case as I have not seen other people - reporting it even though in a quick test I was also able to get the same - wrong result with Debian stable. + reporting it (maybe everyone else has their reverse DNS under control + ;)) even though as said in a quick test I was also able to get the same + wrong result with multiple Debian releases and the mentioned Ubuntu + release. The only thing I've found in the past where this exact issue was - mentioned as many years ago: + mentioned was many years ago: https://mailman.mit.edu/pipermail/krb5-bugs/2011-June/008684.html However this has been fixed ever since. I have not done yet any actual code comparison with the version that RHEL uses, also I'm not sure if - the issue is even there or (as in that recent bug linked above) might - come from some glibc issue? + the issue actually really exists in libkrb5 itself or if it might be a + sideeffect from some other lib. How to reproduce on your own: Even if you don't have erroneous reverse DNS entries you could still try to reproduce it by just looking at tcpdump and checking if you see reverse lookups performed with and without the option. - - I attached the apport for libkrb5 but let me know if something else is - needed.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/2063443 Title: krb5.conf seems to ignore rdns = false Status in krb5 package in Ubuntu: New Bug description: We have a scenario where we need to disable reverse lookups for canonicalization in Kerberos as the customer's PTR records are not consistent and lead to wrongly requested SPNs otherwise (see https://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html#reverse- dns-mismatches) Therefore we have set "rdns = false" in /etc/krb5.conf as follows: # cat /etc/krb5.conf [libdefaults] udp_preference_limit = 0 default_realm = EMEA.EXAMPLE.COM rdns = false However this setting seems to get ignored for some reason. I tried to do some debugging and comparisons as we don't have the same issue for example on a RHEL8 (using krb5-libs-1.18.2-26.el8_9.x86_64) machine. On those RHEL machines the setting seems to do exactly what it's supposed to, in fact I can reproduce the issue we have on Ubuntu on RHEL as well if I remove the "rdns = false" line from the configuration. Kerberos authentication (in our test we use a simple ldapsearch with GSSAPI auth) fails then randomly as it sometimes gets a wrong SPN due to using a wrong PTR for canonicalization. On our Ubuntu 22.04 LTS (with libkrb5-3:amd64 1.19.2-2ubuntu0.3) however the setting does not seem to have any effect. I then re-did the same test with Debian oldstable, stable and sid as well, all with the exact same result. I actually ran a tcpdump while trying to do a Kerberos auth with the "rdns = false" setting in place and I can still see the reverse lookup being performed in the tcpdump (I anonymized some things so don't get confused about the IPs): 10:47:58.382684 IP 1.2.3.4.55001 > 123.123.123.123.53: 12962+ [1au] A? domaincontroller01.emea.example.com. (55) 10:47:58.382809 IP 1.2.3.4.37669 > 123.123.123.123.53: 38376+ [1au] AAAA? domaincontroller01.emea.example.com. (55) 10:47:58.412041 IP 123.123.123.123.53 > 1.2.3.4.37669: 38376* 0/1/1 (143) 10:47:58.412564 IP 123.123.123.123.53 > 1.2.3.4.55001: 12962* 1/9/10 A 5.6.7.8 (602) 10:47:58.442326 IP 1.2.3.4.51232 > 123.123.123.123.53: 16995+ [1au] PTR? 8.7.6.5.in-addr.arpa. (55) 10:47:58.471669 IP 123.123.123.123.53 > 1.2.3.4.51232: 16995 2/2/3 PTR emea.example.com., PTR DOMAINCONTROLLER.emea.example.com. (238) As you see there it does the PTR lookup and retrieves two entries (emea.example.com and DOMAINCONTROLLER.emea.example.com) If I do the same test on the RHEL8 machine I can actually see in tcpdump that with the "rdns = false" setting the reverse lookup is correctly NOT performed. I am a bit puzzled why this is the case as I have not seen other people reporting it (maybe everyone else has their reverse DNS under control ;)) even though as said in a quick test I was also able to get the same wrong result with multiple Debian releases and the mentioned Ubuntu release. The only thing I've found in the past where this exact issue was mentioned was many years ago: https://mailman.mit.edu/pipermail/krb5-bugs/2011-June/008684.html However this has been fixed ever since. I have not done yet any actual code comparison with the version that RHEL uses, also I'm not sure if the issue actually really exists in libkrb5 itself or if it might be a sideeffect from some other lib. How to reproduce on your own: Even if you don't have erroneous reverse DNS entries you could still try to reproduce it by just looking at tcpdump and checking if you see reverse lookups performed with and without the option. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2063443/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp