Administering the Kerberos Server
Principals
PrincipalsA principal is a specific entity to which you can assign a set of credentials. Principals are users and network services that are included in your security network.
The general syntax for a principal is as follows:
identifier/instance@REALM
where: |
|
identifier | Specifies the name of the network service or a user. |
| This parameter is mandatory and you must specify the |
| identifier. |
/instance | Specifies the group used to further identify the name. |
| The instance can identify the duties, organization, or |
| any other information about the principal. |
| For a user, the instance is often used to describe the |
| intended use of the corresponding credentials. |
| For a host, the instance is the fully qualified domain |
| name. You can specify up to 255 instances. You must |
| precede each additional instance with a slash (/). |
| The commands rlogind, ftpd, rshd, rcpd, and |
| telnetd use the instance to indicate the name of the |
| system on which the network service resides. |
| An instance may also imply special privileges. For |
| example, a security administrator can have a principal |
| account with an admin instance to use when |
| performing administration tasks. |
| The /instance parameter is not mandatory. |
Realm | Specifies the realm in which the principal resides. By |
| convention, realm names are the fully qualified domain |
| name of the primary security server. |
| This parameter is mandatory and you must specify the |
| realm name. |
When creating principal names, ensure that a principal name:
Chapter 8 | 121 |