---

title: 1.1.2 - Principals navPrev: 1.1.1-realms.html navPrevText: 1.1.1 - Realms navUp: 1.1-introduction.html navUpText: 1.1 - Introduction navNext: 1.1.3-keys.html navNextText: 1.1.3 - Keys

1.1.2 - Principals

The Kerberos Principal is any entity to which the server can assign a Ticket. Typically, we can think of three kinds of Principals :

* Users
* Services
* Hosts

Each Principal is unique in the Kerberos database. This is the way we identify the entity.

A Kerberos Principal is a combination of three parts :

* the name (the primary)
* an optional instance
* the realm they are associated with

The optional instance is used to provide more than one role to an entity, without having to create N Principals for a single user (an administrator is also a normal user, and it's good to qualify the user by adding his admin qualificiation in one Principal to create a new and easy to remember Principal)

The Principal syntax is the following :

<primary> ['/' <instance>]* '@' <realm>

Those are examples of valid Principals

::test
john@APACHE.ORG                             A user
john/admin@APACHE.ORG                       A user who is an admin
host/www.apache.org/apache.org@APACHE.ORG   A host with two hostnames
ldap/www.apache.org@APACHE.ORG              A service (Ldap server)