koszewscy/kerberos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix admin principal naming convention in README and entrypoint script

Browse Source
This commit is contained in:
Sławek Koszewski
2026-05-16 14:18:51 +02:00
parent dd2027d24f
commit c5381369c0
2 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+13 -1
View File
@@ -37,10 +37,22 @@ The container's hostname must match `KRB5_KDC_HOST` exactly — it is set via th
| `KRB5_KDC_HOST` | *(required)* | FQDN of this KDC, used by clients and in service ticket names |
| `KRB5_MASTER_PASSWORD` | *(required on first start)* | Database master key — set once, cannot be changed without destroying the database |
| `KRB5_ADMIN_PRINCIPAL` | `admin` | Name of the bootstrap admin principal |
| `KRB5_ADMIN_PASSWORD` | *(required on first start)* | Password for `<admin>/admin@<REALM>` |
| `KRB5_ADMIN_PASSWORD` | *(required on first start)* | Password for `<admin>@<REALM>` |
Copy `env.example` to `~/app-data/kerberos/kerberos.env` and fill in real values before first run.
### Admin principal naming
By default the bootstrap principal is created as `admin@REALM` — a flat, UPN-style name. This is the value of `KRB5_ADMIN_PRINCIPAL` used verbatim.
MIT Kerberos also supports the traditional `primary/instance` convention, where the `/admin` instance signals administrative intent. If you prefer that style, set the full name in the variable:
```
KRB5_ADMIN_PRINCIPAL=slawek/admin
```
This creates `slawek/admin@REALM` and grants it full kadmin rights via the ACL. Either form works — it is purely a naming preference.
> **Important:** `KRB5_MASTER_PASSWORD` and `KRB5_ADMIN_PASSWORD` are only required on first start. Once the realm is initialised (the database file exists in the volume), these variables are not read and can be removed from the env file for enhanced security. The master password cannot be changed without wiping the `kerberos_data` volume and reinitialising the realm, which invalidates all issued tickets and keytabs.
## Build
entrypoint.sh
+2 -2
View File
@@ -47,14 +47,14 @@ EOF
EOF
cat > /var/lib/krb5kdc/kadm5.acl <<EOF
${ADMIN_PRINCIPAL}/admin@${REALM} *
${ADMIN_PRINCIPAL}@${REALM} *
EOF
cp /var/lib/krb5kdc/krb5.conf /etc/krb5.conf
echo "Initializing Kerberos realm ${REALM}..."
KRB5_KDC_PROFILE=/var/lib/krb5kdc/kdc.conf kdb5_util create -s -P "${MASTER_PASSWORD}" -r "${REALM}"
KRB5_KDC_PROFILE=/var/lib/krb5kdc/kdc.conf kadmin.local -q "addprinc -pw ${ADMIN_PASSWORD} ${ADMIN_PRINCIPAL}/admin@${REALM}"
KRB5_KDC_PROFILE=/var/lib/krb5kdc/kdc.conf kadmin.local -q "addprinc -pw ${ADMIN_PASSWORD} ${ADMIN_PRINCIPAL}@${REALM}"
echo "Realm initialized."
else
echo "Realm already initialized, skipping."