Is a Kerberos principal always a DNS name?

Douglas E. Engert deengert at
Thu Apr 24 14:06:25 EDT 2008

Victor Sudakov wrote:
> Colleagues, 
> Is a Kerberos principal always a DNS name? Can't an IP literal be used?

I think they must be names, but don't have to be in DNS. The name could
be in /etc/hosts. The client and server must agree on the name of the
server, and the KDC has to have a service principal for the server.

IPs don't tend to work, and the IP number of the service changes,
with DHCP for example, each service would have to have a keytab
with the old and new IP numbers, which is not practical, and could
have some security issues.



  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list