1.1.2 - Principals

The Kerberos Principal is any entity to which the server can assign a Ticket. Typically, we can think of three kinds of Principals :

* Users
* Services
* Hosts

Each Principal is unique in the Kerberos database. This is the way we identify the entity.

A Kerberos Principal is a combination of three parts :

* the name (the primary)
* an optional instance
* the realm they are associated with

The optional instance is used to provide more than one role to an entity, without having to create N Principals for a single user (an administrator is also a normal user, and it’s good to qualify the user by adding his admin qualificiation in one Principal to create a new and easy to remember Principal)

The Principal syntax is the following :

<primary> ['/' <instance>]* '@' <realm>
For hosts, we use "host" as a primary, and the instances are the hostnames.

Those are examples of valid Principals

john@APACHE.ORG                             A user
john/admin@APACHE.ORG                       A user who is an admin
host/www.apache.org/apache.org@APACHE.ORG   A host with two hostnames
ldap/www.apache.org@APACHE.ORG              A service (Ldap server)