Discovered this on my Mac yesterday when trying to validate that my Kerberos setup was correct. Embedded-ads sets up principals tied to localhost, but the dse driver was sending the ip address. This didn't match up with a principal (or server?) in embedded-ads and auth was rejected.
When creating the DSEGSSAPIAuthProvider, the user should be able to say "do host name lookups" or not (since a Kerberos server could have principals tied to hosts specified with ip addresses).