This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Kerberos Principal
Kerberos Principal

Version management

Difference between version and

At line 1 added 38 lines
!!! Overview
A [{$pagename}] is a unique identity to which a [KDC] can assign tickets.
Typically, we can think of three kinds of Principals:
* [Users] or [Clients] or [Client-Principal] (which is Identified by [User Principal Name] [UPN])
* [Service Provider] or [Service-Principal] or [Relying Party] (which is Identified by [Service Principal Name] [SPN])
* Hosts - which is Identified by [Hostnames] (in [Microsoft Windows] [Fully Qualified Domain Name])
Each [Principal] is unique in the [Kerberos Database].
[{$pagename}] can have an arbitrary number of components. Each component is separated by a component separator, generally "/".
The last component is the [Kerberos Realm], separated from the rest of the principal by the realm separator, generally "@". If there is no [Kerberos Realm] component in the [principal], then it will be assumed that the [principal] is in the default [realm] for the [context] in which it is being used.
Traditionally, a [{$pagename}] is divided into three parts:
* the primary
* the instance
* [Kerberos Realm].
The format of a typical [Kerberos] V5 principal is:
{{{
primary/instance@REALM.
}}}
The primary is the first part of the principal. In the case of a [Client-Principal], it is typically the same as your username. For a host, the primary is the word HOST.
The instance is an optional string that qualifies the primary. The instance is separated from the primary by a slash (/). In the case of a user, the instance is usually null, but a [Client-Principal] might also have an additional [UPNs], with an instance called admin, which he/she uses to administrate a database.
The principal
{{{ jennifer@ATHENA.MIT.EDU }}} is completely separate from the principal
{{{ jennifer/admin@ATHENA.MIT.EDU}}} with a separate password, and separate permissions.
In the case of a host, the instance is the fully qualified hostname, e.g., daffodil.mit.edu.
The realm is your [Kerberos Realm]. In most cases, your Kerberos realm is your domain name, in upper-case letters. For example, the machine daffodil.example.com would be in the realm EXAMPLE.COM.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop