Planning principal names

Principals are names of users or services in a Kerberos network. Principal names consist of the user name or service name and the name of the realm to which that user or service belongs.

If Mary Jones uses the realm MYCO.COM, her principal name might be jonesm@MYCO.COM. Mary Jones uses this principal name and its associated password to be authenticated by a centralized Kerberos server. All principals are added to the Kerberos server, which maintains a database of all users and services within a realm.

When developing a system for naming principals, you should assign principal names using a consistent naming convention that will accommodate current and future users. Use the following suggestions to establish a naming convention for your principals:

  • Use family name and initial of first name
  • Use first initial and full family name
  • Use first name plus last initial
  • Use application or service names with identifying numbers, such as database1.

IBM i principal names

When you configure network authentication service on IBM i platforms, the principal names can be optionally created. Each of these principals represents services located on the IBM i operating system. During the configuration of network authentication service, a key table entry is created on the system for each of the service principals that you choose to create. This key table entry stores the service principal name and the encrypted password that you specified during configuration. It is important to note that all IBM i service principals need to be added to the Kerberos server after network authentication service is configured. The methods of adding the IBM i principal to the Kerberos server varies based on the Kerberos server that you have configured in your enterprise. For instructions on how to add the IBM i principal name to either a Windows domain or a Kerberos server in PASE for i, see Adding IBM i principals to the Kerberos server. The following information describes each of the IBM i service principals that are created during network authentication service configuration:
IBM i Kerberos Authentication
When you choose to create a keytab entry for IBM i Kerberos Authentication, the service principal is generated in the keytab file in one of these formats: krbsvr400/IBM i fully qualified domain name@REALM NAME or krbsvr400/IBM i host name@REALM NAME. For example, a valid service principal for IBM i Kerberos Authentication might be krbsvr400/systema.myco.com@MYCO.COM or krbsvr400/systema@MYCO.COM. IBM i generates the principal based on the host name that it finds on either the DNS server or on the IBM i platform depending on how the IBM i platform is configured to resolve host names.

The service principal is used for several IBM i interfaces, such as QFileSrv.400, Telnet, Distributed Relational Database Architecture™ (DRDA), and IBM i NetServer. Each of these applications might require additional configuration to enable Kerberos authentication.

LDAP
In addition to the IBM i service principal name, you can optionally configure additional service principals for IBM Tivoli® Directory Server for IBM i (LDAP) during network authentication service configuration. The LDAP principal name is ldap/IBM i fully qualified domain name@REALM NAME. For example, a valid LDAP principal name might be ldap/systema.myco.com@MYCO.COM. This principal name identifies the directory server located on that IBM i platform.
Note: In past releases, the Network Authentication Service wizard created an uppercase keytab entry for LDAP service. If you have configured the LDAP principal previously, when you reconfigure network authentication service or access the wizard through the Enterprise Identity Mapping (EIM) interface, you will be prompted to change this principal name to its lowercase version.
If you plan on using Kerberos authentication with the directory server, you not only need to configure network authentication service, but also change properties for the directory server to accept Kerberos authentication. When Kerberos authentication is used, directory server associates the server distinguished name (DN) with the Kerberos principal name. You can choose to have the server DN associated by using one of the following methods:
  • The server can create a DN based on the Kerberos principal name. When you choose this option, a Kerberos identity of the form principal@realm generates a DN of the form ibm-kn=principal@realm. ibm-kn= is equivalent to ibm-kerberosName=.
  • The server can search the directory for a distinguished name (DN) that contains an entry for the Kerberos principal and realm. When you choose this option, the server searches the directory for an entry that specifies this Kerberos identity.

See IBM Tivoli Directory Server for IBM i (LDAP) for details on the configuration of Kerberos authentication for the directory server.

HTTP Server
In addition to the IBM i service principal name, you can optionally configure additional service principals for HTTP Server powered by Apache (HTTP) during network authentication service configuration. The HTTP principal name is HTTP/IBM i fully qualified domain name@REALM NAME. This principal name identifies the HTTP Server instances on the IBM i platform that will be using Kerberos to authenticate Web users. To use Kerberos authentication with an HTTP Server instance, you also need to complete additional configuration steps that pertain to HTTP Server.

See the HTTP Server for IBM i: documentationLink outside the Information center home page to find information about using Kerberos authentication with HTTP Server.

IBM i NetServer
For IBM i NetServer, you can also choose to create several NetServer principals that are automatically added to the keytab file on the IBM i platform. Each of these NetServer principals represents all the potential clients that you might use to connect with NetServer. The following table shows the NetServer principal name and the clients they represent.
Table 1. IBM i NetServer principal names
Client connection IBM i NetServer principal name
Windows
cifs/IBM i fully qualified domain name
cifs/IBM i host name
cifs/Q IBM i host name
cifs/q IBM i host name
cifs/IP address

See IBM i NetServer for more information about using Kerberos authentication with this application.

Network File System Server
In addition to the IBM i service principal name, you can optionally configure Network File System (NFS) Server during network authentication service configuration. The NFS principal name is nfs/IBM i fully qualified domain name@REALM NAME. For example, a valid principal name for the NFS Server might be nfs/systema.myco.com@MYCO.COM.
Example planning work sheet
Table 2. Example principal planning work sheet
Questions Answers
What is the naming convention that you plan to use for Kerberos principals that represent users in your network?

First initial followed by first five letters of the family name in lowercase, for example, mjones
What is the naming convention for applications on your network?

Descriptive name followed by number, for example, database123
For which IBM i services do you plan to use Kerberos authentication? IBM i Kerberos authentication is used for the following services:
  1. IBM Navigator for i, IBM i NetServer, and Telnet
  2. HTTP Server powered by Apache
  3. LDAP
  4. Network File System (NFS) Server
What are the IBM i principal names for each of these IBM i services?
  1. krbsvr400/systema.myco.com@MYCO.COM
  2. HTTP/systema.myco.com@MYCO.COM
  3. ldap/systema.myco.com@MYCO.COM
  4. nfs/systema.myco.com/MYCO.COM