6.2. Principal Names
Overview
Principal names identify entities (users, services, hosts) in the Kerberos system. Each principal is uniquely identified within its realm.
Name Structure
Components
- Name Type: Identifies the interpretation of name components
- Name String: Sequence of one or more components
- Realm: Administrative domain
Format Examples
- User:
username@REALM - Service:
service/hostname@REALM - Instance:
username/instance@REALM
Name Types
NT-PRINCIPAL (1)
- General-purpose principal name
- Typically single-component for users
- Example:
[email protected]
NT-SRV-INST (2)
- Service with instance
- Two components: service and instance
- Example:
krbtgt/[email protected]
NT-SRV-HST (3)
- Service with hostname
- Two components: service and hostname
- Example:
host/[email protected]
Other Name Types
- NT-UID - Unique identifier
- NT-X500-PRINCIPAL - X.500 name
- NT-SMTP-NAME - SMTP mail name
- NT-ENTERPRISE - Enterprise principal
6.2.1. Name of Server Principals
Service Principal Conventions
Format: service/hostname@REALM
Common service types:
host/- Host serviceHTTP/- Web servicenfs/- NFS serviceimap/- Mail service
Hostname Canonicalization
Important considerations:
- Should use fully qualified domain names
- Case preservation varies by implementation
- MUST NOT rely on insecure DNS for canonicalization
- Security implications of name mapping
Case Sensitivity
- Principal name components are case-sensitive
- Realm names are case-sensitive
- Comparisons are exact string matches
- Implementations should preserve case
Security Considerations
- Proper name canonicalization prevents impersonation attacks
- Avoid trusting insecure name resolution (DNS)
- Service names should be carefully validated
- Cross-realm names require additional verification
Best Practices
- Use fully qualified hostnames for services
- Maintain consistent naming conventions
- Document principal naming policy
- Carefully manage service principal names
Reference
For complete specification, refer to RFC 4120 Section 6.2.