Node:Network Services and the Master Database, Next:The User/Kerberos Interaction, Previous:The Ticket-Granting Ticket, Up:How Kerberos Works
The master database also contains entries for all network services that
require Kerberos authentication. Suppose that your site has a machine,
laughter.mit.edu, that requires Kerberos
authentication from anyone who wants to rlogin to it. The host's
Kerberos realm is ATHENA.MIT.EDU.
This service must be registered in the Kerberos database, using the proper service name, which in this case is the principal:
host/laughter.mit.edu@ATHENA.MIT.EDU
The / character separates the Kerberos primary (in this
case, host) from the instance (in this case,
laughter.mit.edu); the @ character separates
the realm name (in this case, ATHENA.MIT.EDU) from the rest
of the principal. The primary, host, denotes the name or type of
the service that is being offered: generic host-level access to the
machine. The instance, laughter.mit.edu, names the
specific machine that is offering this service. There will generally be
many different machines, each offering one particular type of service,
and the instance serves to give each one of these servers a different
Kerberos principal.