Administration
Principals
The instance portion of the service principal name must be the fully qualified domain name (FQDN) of the host on which the service resides. Although the FQDN in your network can use mixed case characters, the instance portion of the principal name must be in lower case.
For example, if the system name is ‘IT.BAMBI.COM’, the principal name must use the instance ‘it.bambi.com’.
If you fail to use this principal naming convention for the Kerberos Security Server’s utilities, daemons and services, the service principals are unable to authenticate, and this service cannot be accessed by other principals when required.
•The service principal account must have the Allow as Service attribute set.
•The secret key should be extracted to the service key table file on the service’s host. Unlike user principals who type their passwords using the keyboard, a service principal must have its secret key automatically available during authentication. Storing the key in the service key table file ensures that the key is available when required. For more information on extracting a key, see “Extracting Service Keys” on page 151.
Reserved Service Principals
The Kerberos Security Server requires that certain service principals be included in the principal database. These principal accounts use reserved names that have a special significance in the Security Server database.
Most of these reserved service principals are automatically created when you create the principal database or add a realm to the database as discussed below.
K/M@REALM The K/M@REALM principal contains the secret key of the principal database. When the database is created, this principal is added to the server’s default realm to store the database secret key. All records in the principal database are encrypted using this key. The key for this principal is stashed on each security server in a file named .k5.realm.
106 | Chapter 6 |