Search code examples
authenticationkerberosspnmit-kerberoskeytab

Understanding Kerberos principals

I am trying to understand Kerberos basic concepts. I read about the principals over here, which typically looks like:

primary/instance@REALM

I wanted to ask what exactly is a primary, instance and a realm. Of course there are definitions given on the above page and several other places on the internet, but can someone give an example?

What I understand is this: Primary is the consumer(user or a service). Instance is something that is used for access control. A primary can be a part of multiple instances. Realm is the collection of instances? Please correct me if I am wrong.

If I have a server: foo.bar.com
on this I can I have 2 realms: REALM1, REALM2. Can these be named as such? or can I have only 1 realm here as FOO.BAR.COM?
Now I have say 3 services: s1,s2,s3 which talk to each other. Since kerberos is enabled, each of them will have to have a principal with its own keytab file? or since each service is talking to each other service, does each keytab file needs to have principals for each other services?

Solution

  • In the example you gave: primary/instance@REALM

    1. primary = service name (e.g. HTTP running on a target server)

    2. instance = FQDN (typically) which needs to be in DNS - it would be the FQDN of the server that the "primary" (service) runs on

    3. REALM = typically written in upper-case (though not mandatory) - this (though not always) matches the DNS domain name of environment in which Kerberos authentication is to occur. It is, a collection of computers sharing a common namespace and Kerberos database.

    Example of an SPN: HTTP/[email protected]. In this example, it could be shortened to just HTTP/server1.acme.com assuming DNS is set right in the machine's environment.

    For your example, foo.bar.com, the realm would likely be FOO.BAR.COM. It doesn't have to be though. You can definitely have a DNS FQDN of foo.bar.com existing in a Kerberos realm of another name, but that realm name would have to be fully-qualified, you can't just have it as "REALM1". Kerberos relies heavily on DNS. I suppose it is technically possible to have a non-fully qualified Kerberos realm name though I have never seen it done in practice. You would just be asking for major trouble. For your 3 services talking to each other, yes, each one of them would have to have its own SPN, they have to be delineated separately in the Kerberos database otherwise how would clients find them? Three distinct services in this case would each need their own keytab file. But each keytab would not have the principals for the other services. Don't use the word "principal", as you did like that, on its own. A principal is a security object which may have an SPN, or it may not. It depends. There are different types of security principals, such as users, which have UPNs instead. Services are SPNs. Computers are the third type of category. Suggest you read up more here, if you are in a Microsoft Active Directory environment, the most popular version of Kerberos implementation today. http://social.technet.microsoft.com/wiki/contents/articles/4209.kerberos-survival-guide.aspx