Full_Name: Calvin Winkowski Version: 2.4.41 OS: ArchLinux URL: Submission from: (NULL) (2001:468:c80:a202:3b1d:f567:f43c:7b3a)
When using ldapsearch GSSAPI mechanism with a server whose reverse DNS name doesn't match its DNS name, ldapsearch will do the DNS lookups and hand the reverse DNS entry to GSSAPI. If the reverse DNS entry is not what is used by kerberos then kerberos will fail. There are settings in /etc/krb5.conf to disable canonicalizing the hostname provided.
I have a server with a record example.ad.example.com whose PTR record is example.example.com, but the realm is ad.example.com and it's entry in the kerberos database is example.ad.example.com, not example.example.com.
If I execute the command ``ldapsearch -b "" -s base -Y GSSAPI -D "dn" -H ldap://example.ad.example.com'' GSSAPI will submit a ticket request for example.example.com instead and result in a failure. All other services I've tested with this setup (disabling reverse dns in kerberos) do not give the PTR record, but the user provided hostname. These include mbsync, msmtp, and another ldap utility. I believe that the correct behaviour should be to provide the hostname provided to the utility to GSSAPI. I can provide packet captures illustrating the incorrect lookup if needed.