[Bug 2063443] Re: krb5.conf seems to ignore rdns = false

Lukas Grässlin 2063443 at bugs.launchpad.net
Thu Apr 25 12:24:00 UTC 2024 

** Description changed:

  We have a scenario where we need to disable reverse lookups for
  canonicalization in Kerberos as the customer's PTR records are not
- consistent and lead to wrongly requested SPNs otherwise.
+ consistent and lead to wrongly requested SPNs otherwise (see
+ https://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html#reverse-
+ dns-mismatches)
  
  Therfore we have set "rdns = false" in /etc/krb5.conf as follows:
  
  # cat /etc/krb5.conf
  
  [libdefaults]
  udp_preference_limit = 0
  default_realm = EMEA.EXAMPLE.COM
  rdns = false
  
  However this setting seems to get ignored for some reason. I tried to do
  some debugging and comparison as we don't have the same issue for
  example on a RHEL8 (using krb5-libs-1.18.2-26.el8_9.x86_64) machine.
  
  On those RHEL machines the setting seems to do exactly what it's
  supposed to, in fact I can reproduce the issue we have on Ubuntu on RHEL
  as well if I remove the "rdns = false" line from the configuration.
  
  Kerberos authentication (in our test we use a simple ldapsearch with
  GSSAPI auth) fails then randomly as it sometimes gets a wrong SPN due to
  using a wrong PTR for canonicalization.
  
  On our Ubuntu 22.04 LTS (with libkrb5-3:amd64 1.19.2-2ubuntu0.3) however
  the setting does not seem to have any effect.
  
  I actually run a tcpdump while trying to do a Kerberos auth with the
  "rdns = false" setting in place and I can still see the reverse lookup
  being performed in the tcpdump (anonymized some things so don't get
  confused about the IPs):
  
  10:47:58.382684 IP 1.2.3.4.55001 > 123.123.123.123.53: 12962+ [1au] A? domaincontroller01.emea.example.com. (55)
  10:47:58.382809 IP 1.2.3.4.37669 > 123.123.123.123.53: 38376+ [1au] AAAA? domaincontroller01.emea.example.com. (55)
  10:47:58.412041 IP 123.123.123.123.53 > 1.2.3.4.37669: 38376* 0/1/1 (143)
  10:47:58.412564 IP 123.123.123.123.53 > 1.2.3.4.55001: 12962* 1/9/10 A 10.145.214.16 (602)
  10:47:58.442326 IP 1.2.3.4.51232 > 123.123.123.123.53: 16995+ [1au] PTR? 16.214.145.10.in-addr.arpa. (55)
  10:47:58.471669 IP 123.123.123.123.53 > 1.2.3.4.51232: 16995 2/2/3 PTR emea.example.com., PTR DOMAINCONTROLLER.emea.example.com. (238)
  
- 
- As you see there it does the PTR lookup and retrieves two entries (emea.example.com and DOMAINCONTROLLER.emea.example.com)
+ As you see there it does the PTR lookup and retrieves two entries
+ (emea.example.com and DOMAINCONTROLLER.emea.example.com)
  
  If I do the same test on the RHEL8 machine I can actually see in tcpdump
  that with the "rdns = false" setting the reverse lookup is correctly NOT
  performed.
  
  I am a bit puzzled why this is the case as I have not seen other people
  reporting it even though in a quick test I was also able to get the same
  wrong result with Debian stable.
  
  The only thing I've found in the past where this exact issue was
  mentioned as many years ago:
  https://mailman.mit.edu/pipermail/krb5-bugs/2011-June/008684.html
  
  However this has been fixed ever since. I have not done yet any actual
  code comparison with the version that RHEL uses, also I'm not sure if
  the issue is even there or (as in that recent bug linked above) might
  come from some glibc issue?
  
  How to reproduce on your own:
  Even if you don't have erroneous reverse DNS entries you could still try to reproduce it by just looking at tcpdump and checking if you see reverse lookups performed with and without the option.
  
  I attached the apport for libkrb5 but let me know if something else is
  needed.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/2063443

Title:
  krb5.conf seems to ignore rdns = false

Status in Kerberos:
  New
Status in krb5 package in Ubuntu:
  New

Bug description:
  We have a scenario where we need to disable reverse lookups for
  canonicalization in Kerberos as the customer's PTR records are not
  consistent and lead to wrongly requested SPNs otherwise (see
  https://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html#reverse-
  dns-mismatches)

  Therfore we have set "rdns = false" in /etc/krb5.conf as follows:

  # cat /etc/krb5.conf

  [libdefaults]
  udp_preference_limit = 0
  default_realm = EMEA.EXAMPLE.COM
  rdns = false

  However this setting seems to get ignored for some reason. I tried to
  do some debugging and comparison as we don't have the same issue for
  example on a RHEL8 (using krb5-libs-1.18.2-26.el8_9.x86_64) machine.

  On those RHEL machines the setting seems to do exactly what it's
  supposed to, in fact I can reproduce the issue we have on Ubuntu on
  RHEL as well if I remove the "rdns = false" line from the
  configuration.

  Kerberos authentication (in our test we use a simple ldapsearch with
  GSSAPI auth) fails then randomly as it sometimes gets a wrong SPN due
  to using a wrong PTR for canonicalization.

  On our Ubuntu 22.04 LTS (with libkrb5-3:amd64 1.19.2-2ubuntu0.3)
  however the setting does not seem to have any effect.

  I actually run a tcpdump while trying to do a Kerberos auth with the
  "rdns = false" setting in place and I can still see the reverse lookup
  being performed in the tcpdump (anonymized some things so don't get
  confused about the IPs):

  10:47:58.382684 IP 1.2.3.4.55001 > 123.123.123.123.53: 12962+ [1au] A? domaincontroller01.emea.example.com. (55)
  10:47:58.382809 IP 1.2.3.4.37669 > 123.123.123.123.53: 38376+ [1au] AAAA? domaincontroller01.emea.example.com. (55)
  10:47:58.412041 IP 123.123.123.123.53 > 1.2.3.4.37669: 38376* 0/1/1 (143)
  10:47:58.412564 IP 123.123.123.123.53 > 1.2.3.4.55001: 12962* 1/9/10 A 10.145.214.16 (602)
  10:47:58.442326 IP 1.2.3.4.51232 > 123.123.123.123.53: 16995+ [1au] PTR? 16.214.145.10.in-addr.arpa. (55)
  10:47:58.471669 IP 123.123.123.123.53 > 1.2.3.4.51232: 16995 2/2/3 PTR emea.example.com., PTR DOMAINCONTROLLER.emea.example.com. (238)

  As you see there it does the PTR lookup and retrieves two entries
  (emea.example.com and DOMAINCONTROLLER.emea.example.com)

  If I do the same test on the RHEL8 machine I can actually see in
  tcpdump that with the "rdns = false" setting the reverse lookup is
  correctly NOT performed.

  I am a bit puzzled why this is the case as I have not seen other
  people reporting it even though in a quick test I was also able to get
  the same wrong result with Debian stable.

  The only thing I've found in the past where this exact issue was
  mentioned as many years ago:
  https://mailman.mit.edu/pipermail/krb5-bugs/2011-June/008684.html

  However this has been fixed ever since. I have not done yet any actual
  code comparison with the version that RHEL uses, also I'm not sure if
  the issue is even there or (as in that recent bug linked above) might
  come from some glibc issue?

  How to reproduce on your own:
  Even if you don't have erroneous reverse DNS entries you could still try to reproduce it by just looking at tcpdump and checking if you see reverse lookups performed with and without the option.

  I attached the apport for libkrb5 but let me know if something else is
  needed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/kerberos/+bug/2063443/+subscriptions

More information about the foundations-bugs mailing list