Principal names, mappings and RFCs

Tom_Krauss thomas.krauss at
Mon Nov 11 10:11:52 EST 2013


we plan to use NFSv3 and Kerberos authentication.

Applications which use NFS will be provided with a keytab. 
In order to have individual keytabs for each instance of an application on
lots of servers we plan to use principal type 3 names - NT-SRV-HST - for the

myapp/host1.dom at REALM
myapp/host2.dom at REALM

We have an appliance providing the NFS server facility. 
The appliance cuts off everything from a client`s principal name that
follows the first instance.

So given the example above I do not need to take care about principal
mapping on the server since "myapp" equals "myapp".

On one hand side this seems pretty convenient but from a security point of
view I have some doubt and that is why I look for guidelines.

I read the relevant chapters in RFC 1510 (7.2) and 4120 (6.2) and they do
not seem to forbid the "blackbox mapping" as described above. So - does our
vendor comply to the RFCs?

Are there any kinds of rules or is that completely relative because
principal mapping always depends on a customer`s requirements?

Thanks for your insight.

View this message in context:
Sent from the Kerberos - General mailing list archive at

More information about the Kerberos mailing list