possible new project: better realm determination heuristics -- any takers?

Ken Raeburn raeburn at MIT.EDU
Tue Apr 8 11:59:25 EDT 2008 

On Apr 8, 2008, at 09:26, Simo Sorce wrote:
> On Tue, 2008-04-08 at 08:14 +0200, Mark Phalan wrote:
>> On 7 Apr 2008, at 20:54, Ken Raeburn wrote:
>>> [...]
>> I basically implemented this heuristic for our (Sun's) code.
>> If you're interested I can make a patch for MIT 1.6.3 ?

Yes, that would be handy, thanks Mark!

Though as I said, there's more that could be done.  Anyone want to  
build on this work?

>> The algorithm is:
>>
>>    domain = fqdn;
>>    while (domain.label_count > 2) {
>> 	domain = pop_label(domain);
>> 	realm = domain2realm(domain); /* for ASCII: toupper() */
>> 	if (lookup_kdcs(realm) > 0)
>> 	    break;
>> 	realm = NULL;
>>    }

That's probably good for most cases, but will probably be wrong for  
example.co.uk, and doesn't try to deal with mit.edu and the like.   
Still, most of the hostnames we'll get will not exactly match the  
domain associated with the realm by far, so maybe it wouldn't be worth  
the extra DNS traffic potentially generated.  (Then again, my own  
personal domain includes a hostname that matches the two-component  
domain name. :-)

[ Simo Sorce: ]
> It would be useful if discovery would be implemented as a pluggable
> interface, so that custom resolvers can be implemented. This will let
> people customize the resolvers based on their environment and  
> resources.

If someone wants to tackle that, sure!  Thanks for the idea.

I'm not sure it makes sense to integrate it with service location,  
versus being a separate plugin interface.  Integrated, you'd feed in  
"server.example.com" and get back, what, a list of KDC addresses?   
Also, unless we can guarantee that referrals from the KDC will give us  
all the information and we won't want to support local configuration,  
we still need to come up with the realm name in places.

That also reminds me, there are places in our code where we support  
the mapping of a hostname to multiple realms. We should probably  
figure out what that means, if anything, and whether we should  
continue to support it (including letting the plugin return multiple  
names, even if 98% of actual plugins only return one), or phase it out  
everywhere.  (If a hostname maps to two realms, should all services be  
expected to be available via either realm?  Or does the client  
potentially have to try both realms to find the service?)

Ken

More information about the krbdev mailing list