Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 1.9. What is the format of principals?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Restaurant inspections ]


Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.8. What are the differences between AFS Kerberos and "normal" Kerberos?
Next Document: 1.10. How are realms named? Do they really have to be uppercase?
See reader questions & answers on this topic! - Help others by sharing your knowledge
In Kerberos 4, a principal was divided into three parts:

  1. The principal name
  2. An optional instance
  3. The Kerberos realm

Kerberos 4 principals are written in the following format:

name.instance@realm

Kerberos 5 principals are written in a slightly different format:

component/component/component@realm

The terms "name" and "instance" are still used for the first and the second
components respectively.

Note that in both Kerberos 4 and Kerberos 5, the way that principals are
encoded into strings have nothing to do with the way they are stored
internally in Kerberos.

There is an established convention as to how principals are named.
Generally, you will encounter three different types of principals.

  1. A principal without an instance. This is used for users, with the
     username being used as the principal name. Some examples:

     kenh@CMF.NRL.NAVY.MIL
     tytso@ATHENA.MIT.EDU

  2. A principal with a hostname for an instance. This is used to
     distinguish between the same service on different machines. Some
     examples:

     host/foo.bar.org@BAR.ORG
     ftp/blah.bar.org@BAR.ORG

  3. A principal with a unique instance that is not a hostname. For these
     principals the instance has other significance.

     krbtgt/BAR.ORG@BAR.ORG
     krbtgt/FOO.ORG@BAR.ORG

While the specification for Kerberos 5 allows more than two components, in
practice this is not used.

The two most important differences between Kerberos 4 principals and
Kerberos 5 principals are:

  1. The instance separator in Kerberos 4 is a period (.) where in Kerberos
     5 the instance separator is a forward slash (/).
  2. In principals where the hostname is used as the instance, the "short"
     hostname (without a domain name) is used as the instance for Kerberos
     4. In Kerberos 5, the fully qualified domain name is used as the
     instance.

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.8. What are the differences between AFS Kerberos and "normal" Kerberos?
Next Document: 1.10. How are realms named? Do they really have to be uppercase?

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
Ken Hornstein <kenh@cmf.nrl.navy.mil>





Last Update March 27 2014 @ 02:11 PM