Filter
Top Products
Administering the Kerberos Server
Principals
Chapter 8124
The instance portion of the service principal name must be the fully
qualified domain name (FQDN) of the host on which the service
resides. Although the FQDN in your network can use mixed-case
characters, the instance portion of the principal name must be in
lowercase.
For example, if the system name is IT.BAMBI.COM, the principal
name must use the instance it.bambi.com.
If you fail to use this principal naming convention for the Kerberos
server utilities, daemons, and services, the service principals cannot
authenticate, and other principals cannot access when required.
• You must set the Allow as Service attribute for the service
principal account.
• You must extract the secret key to the service key table file on the
host of the service. Unlike user principals who type their password
using the keyboard, a service principal must have its secret key
automatically available during authentication. Storing the key in the
service key table file ensures that the key is available when required.
For more information on extracting a key, see “Extracting Service
Keys” on page 178.
Reserved Service Principals
The Kerberos server requires that certain service principals be included
in the principal database. These principal accounts use reserved names
that have a special significance in the Kerberos server database.
Most of these reserved service principals are automatically created when
you create the principal database or add a realm to the database.
IMPORTANT Do not modify the password policy name of the reserved service
principals.
This section contains a detailed description of the reserved service
principals.
K/M@REALM: The K/M@REALM principal contains the secret key of the
principal database. When creating the database, the Kerberos server
adds the K/M@REALM principal to the default realm of the server to store