The Kerberos Principal is any entity to which the server can assign a Ticket. Typically, we can think of three kinds of Principals :
* Users * Services * Hosts
Each Principal is unique in the Kerberos database. This is the way we identify the entity.
A Kerberos Principal is a combination of three parts :
* the name (the primary) * an optional instance * the realm they are associated with
The optional instance is used to provide more than one role to an entity, without having to create N Principals for a single user (an administrator is also a normal user, and it's good to qualify the user by adding his admin qualificiation in one Principal to create a new and easy to remember Principal)
The Principal syntax is the following :
<primary> ['/' <instance>]* '@' <realm>
Those are examples of valid Principals
::test john@APACHE.ORG A user john/admin@APACHE.ORG A user who is an admin host/www.apache.org/apache.org@APACHE.ORG A host with two hostnames ldap/www.apache.org@APACHE.ORG A service (Ldap server)