1.1.2 - Principals
The Kerberos Principal is any entity to which the server can assign a Ticket. Typically, we can think of three kinds of Principals :
* Users
* Services
* Hosts
Each Principal is unique in the Kerberos database. This is the way we identify the entity.
A Kerberos Principal is a combination of three parts :
* the name (the primary)
* an optional instance
* the realm they are associated with
The optional instance is used to provide more than one role to an entity, without having to create N Principals for a single user (an administrator is also a normal user, and it’s good to qualify the user by adding his admin qualificiation in one Principal to create a new and easy to remember Principal)
The Principal syntax is the following :
<primary> ['/' <instance>]* '@' <realm>
For hosts, we use "host" as a primary, and the instances are the hostnames.
Those are examples of valid Principals
::test
john@APACHE.ORG A user
john/admin@APACHE.ORG A user who is an admin
host/www.apache.org/apache.org@APACHE.ORG A host with two hostnames
ldap/www.apache.org@APACHE.ORG A service (Ldap server)