A Kerberos principal is a unique identity to which Kerberos can assign tickets. Principals can have an arbitrary number of components. Each component is separated by a component separator, generally `/'. The last component is the realm, separated from the rest of the principal by the realm separator, generally `@'. If there is no realm component in the principal, then it will be assumed that the principal is in the default realm for the context in which it is being used.
Traditionally, a principal is divided into three parts: the
primary, the instance, and the realm. The format of
a typical Kerberos V5 principal is primary/instance@REALM
.
host
.
/
). In the case of a user, the instance is usually null, but a
user might also have an additional principal, with an instance called
admin
, which he/she uses to administrate a database. The
principal jennifer@ATHENA.MIT.EDU
is completely
separate from the principal
jennifer/admin@ATHENA.MIT.EDU
, with a separate
password, and separate permissions. In the case of a host, the instance
is the fully qualified hostname, e.g.,
daffodil.mit.edu
.
daffodil.example.com
would be in
the realm EXAMPLE.COM
.