6.1. Realm Names
Overview
Realm names identify Kerberos administrative domains. Each realm is managed independently with its own KDC and policy.
Naming Conventions
Format
- Generally uppercase strings
- Often based on DNS domain names (uppercase)
- Hierarchical structure recommended
- Example: ATHENA.MIT.EDU, EXAMPLE.COM
Hierarchical Realms
- Parent-child relationships supported
- Facilitates cross-realm authentication
- Shared keys between parent and children
- Example hierarchy: COM → EXAMPLE.COM → SALES.EXAMPLE.COM
Technical Requirements
Character Set
- Should use printable ASCII characters
- Case-sensitive comparisons required
- Avoid whitespace and special characters
- Maximum length considerations
Comparison Rules
- Exact string matching
- Case-sensitive
- No canonicalization applied
- Byte-for-byte comparison
Cross-Realm Considerations
- Trust relationships established through shared keys
- Authentication paths through intermediate realms
- Transited field records realm path
- Policy controls which realms are trusted
Best Practices
- Use DNS domain names for easier management
- Maintain consistent capitalization (typically uppercase)
- Document realm hierarchies
- Plan cross-realm trust relationships carefully
Reference
For complete specification, refer to RFC 4120 Section 6.1.