Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Administration
Principals
Chapter 6106
The instance portion of the service principal name must be the fully
qualified domain name (FQDN) of the host on which the service
resides. Although the FQDN in your network can use mixed case
characters, the instance portion of the principal name must be in
lower case.
For example, if the system name is ‘IT.BAMBI.COM’, the principal
name must use the instance ‘it.bambi.com’.
If you fail to use this principal naming convention for the Kerberos
Security Server’s utilities, daemons and services, the service
principals are unable to authenticate, and this service cannot be
accessed by other principals when required.
• The service principal account must have the Allow as Service
attribute set.
• The secret key should be extracted to the service key table file on the
service’s host. Unlike user principals who type their passwords using
the keyboard, a service principal must have its secret key
automatically available during authentication. Storing the key inthe
service key table file ensures that the key is available when required.
For more information on extracting a key, see “Extracting Service
Keys” on page 151.
Reserved Service Principals
The Kerberos Security Server requires that certain service principals
be included in the principal database. These principal accounts use
reserved names that have a special significance in the Security Server
database.
Most of these reserved service principals are automatically created when
you create the principal database or add a realm to the database as
discussed below.
K/M@REALM The K/M@REALM principal contains the secret key of the
principal database. When the database is created, this principal is added
to the server’s default realm to store the database secret key. All records
in the principal database are encrypted using this key. The key for this
principal is stashed on each security server in a file named .k5.realm.