[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8206) ldapsearch incorrectly cannonicalizes dns names for GSSAPI

Full_Name: Calvin Winkowski
Version: 2.4.41
OS: ArchLinux 
Submission from: (NULL) (2001:468:c80:a202:3b1d:f567:f43c:7b3a)

When using ldapsearch GSSAPI mechanism with a server whose reverse DNS name
doesn't match its DNS name, ldapsearch will do the DNS lookups and hand the
reverse DNS entry to GSSAPI. If the reverse DNS entry is not what is used by
kerberos then kerberos will fail. There are settings in /etc/krb5.conf to
disable canonicalizing the hostname provided.

I have a server with a record example.ad.example.com whose PTR record is
example.example.com, but the realm is ad.example.com and it's entry in the
kerberos database is example.ad.example.com, not example.example.com.

If I execute the command ``ldapsearch -b "" -s base -Y GSSAPI -D "dn" -H
ldap://example.ad.example.com'' GSSAPI will submit a ticket request for
example.example.com instead and result in a failure. All other services I've
tested with this setup (disabling reverse dns in kerberos) do not give the PTR
record, but the user provided hostname. These include mbsync, msmtp, and another
ldap utility. I believe that the correct behaviour should be to provide the
hostname provided to the utility to GSSAPI. I can provide packet captures
illustrating the incorrect lookup if needed.