For some time we have been recommending people use the setting "rdns =
false" in the "[libdefaults]" section. However, recently we have run
across one case where that setting is causing an issue.
A client is running a Perl script where, using Net::LDAP, they make a
GSSAPI connection to our load-balanced endpoint. The endpoint they
connect to is "ldap.example.com". The DNS looks like this:
ldap.example.com is a CNAME for ldap.best.example.com
ldap.best.example.com is a CNAME for ldap-lb.example.com
ldap-lb.example.com is an A record
If rdns is set to "true" then everything works. However, when set to
"false" we see the message "Error: Unspecified GSS failure. Minor code
may provide more information (Cannot determine realm for numeric host
address)"
The "Cannot determine realm for numeric host address" message suggests
that the Kerberos client is trying to get a ticket for an IP address.
Note: I realize that this may not be a Heimdal issue since the client
uses MIT Kerberos, but I thought I'd take a stab at someone on this list
having a useful suggestion.