possible new project: better realm determination heuristics -- any takers?
raeburn at MIT.EDU
Mon Apr 7 14:54:45 EDT 2008
One area we're looking to improve our package is in configuration
requirements -- minimizing the need to manually set up the config file
on client hosts -- and realm determination, both of server hosts and
especially of the local host as a client, is a particular case of
this. Is anyone interested in making some improvements in this area?
Currently, we look for default_realm in the config file, and if that
doesn't work, and the compile-time and run-time configurations allow,
we try looking up some "_kerberos" TXT records in DNS, and then give
up. But our code for determining the realm of a server host does other
checks that we don't do for the local realm, like checking the current
hostname and parent domains in the domain_realm mapping table;
aligning the two sets of heuristics, to the degree that it makes
sense, would also be helpful.
There are probably other fairly cheap heuristics that could be
implemented as well, for both servers and default realm
determination. For example, guess that the hostname itself, or the
parent domain, is also the realm name, and see if we can figure out
where the KDCs are; if we can't, retry with the next domain up towards
These seem pretty easy. If someone is interested in expanding on the
details a bit and perhaps implementing some of this, we'd like to hear
More information about the krbdev