A Kerberos principal can take different forms, containing a varying number of components.
For the purposes of this feature, a principal can contain the following parts:
- Primary - this would typically be a username.
- Instance - this is an optional part which qualifies the primary. It can be a user role or a host name.
- Realm - this is the Kerberos realm which is usually a domain name.
In your environment, a principal could take the following form:
primary@REALM
For example:
user@EXAMPLE.COM
This user could operate on multiple clients.
Alternatively, your principal could take the following form:
primary/instance@REALM
For example:
user/machine1.example.com@EXAMPLE.COM
user/machine2.example.com@EXAMPLE.COM
Here, you could have different Kerberos principals that map to a single user.
To support these environments, the NAS server provides the krb5-nfs-principal-format command. By default, the Kerberos principal is unchanged before being mapped onto a user. For multiple Kerberos principals that are mapped to a single user, the only-primary option changes the Kerberos principal to primary@REALM before mapping it to a user. By using this setting, the principals in the second example above are interpreted as user@EXAMPLE.COM and so would require only a one-to-one mapping.