diff --git a/README.md b/README.md index d4ae227..5c63648 100644 --- a/README.md +++ b/README.md @@ -37,10 +37,22 @@ The container's hostname must match `KRB5_KDC_HOST` exactly — it is set via th | `KRB5_KDC_HOST` | *(required)* | FQDN of this KDC, used by clients and in service ticket names | | `KRB5_MASTER_PASSWORD` | *(required on first start)* | Database master key — set once, cannot be changed without destroying the database | | `KRB5_ADMIN_PRINCIPAL` | `admin` | Name of the bootstrap admin principal | -| `KRB5_ADMIN_PASSWORD` | *(required on first start)* | Password for `/admin@` | +| `KRB5_ADMIN_PASSWORD` | *(required on first start)* | Password for `@` | Copy `env.example` to `~/app-data/kerberos/kerberos.env` and fill in real values before first run. +### Admin principal naming + +By default the bootstrap principal is created as `admin@REALM` — a flat, UPN-style name. This is the value of `KRB5_ADMIN_PRINCIPAL` used verbatim. + +MIT Kerberos also supports the traditional `primary/instance` convention, where the `/admin` instance signals administrative intent. If you prefer that style, set the full name in the variable: + +``` +KRB5_ADMIN_PRINCIPAL=slawek/admin +``` + +This creates `slawek/admin@REALM` and grants it full kadmin rights via the ACL. Either form works — it is purely a naming preference. + > **Important:** `KRB5_MASTER_PASSWORD` and `KRB5_ADMIN_PASSWORD` are only required on first start. Once the realm is initialised (the database file exists in the volume), these variables are not read and can be removed from the env file for enhanced security. The master password cannot be changed without wiping the `kerberos_data` volume and reinitialising the realm, which invalidates all issued tickets and keytabs. ## Build diff --git a/entrypoint.sh b/entrypoint.sh index 7e79314..5c624da 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -47,14 +47,14 @@ EOF EOF cat > /var/lib/krb5kdc/kadm5.acl <