Skip to main content
Hitachi Vantara Knowledge

Kerberos principal formats

A Kerberos principal can take different forms, containing a varying number of components.

For the purposes of this feature, a principal can contain the following parts:

  • Primary - this would typically be a username.
  • Instance - this is an optional part which qualifies the primary. It can be a user role or a host name.
  • Realm - this is the Kerberos realm which is usually a domain name.

In your environment, a principal could take the following form:


For example:


This user could operate on multiple clients.

Alternatively, your principal could take the following form:


For example:



Here, you could have different Kerberos principals that map to a single user.

To support these environments, the NAS server provides the krb5-nfs-principal-format command. By default, the Kerberos principal is unchanged before being mapped onto a user. For multiple Kerberos principals that are mapped to a single user, the only-primary option changes the Kerberos principal to primary@REALM before mapping it to a user. By using this setting, the principals in the second example above are interpreted as user@EXAMPLE.COM and so would require only a one-to-one mapping.

ImportantIt is expected that the only-primary configuration option is only selected when first configuring a security context and care should be taken when modifying the setting for an existing security context. If the setting is changed after Kerberos authentication for NFS has been used with the security context, this can result in a mixture of Kerberos Principal formats being stored in on-disk security. This is likely to result in users being unable to access files, which would need to be remedied by manually correcting the on-disk security.


  • Was this article helpful?