From c5381369c05ee2cef69f3afbb35dc3e7dfb028f1 Mon Sep 17 00:00:00 2001
From: Slawomir Koszewski <slawek@koszewscy.waw.pl>
Date: Sat, 16 May 2026 14:18:51 +0200
Subject: [PATCH] Fix admin principal naming convention in README and
 entrypoint script

---
 README.md     | 14 +++++++++++++-
 entrypoint.sh |  4 ++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index d4ae227..5c63648 100644
--- a/README.md
+++ b/README.md
@@ -37,10 +37,22 @@ The container's hostname must match `KRB5_KDC_HOST` exactly — it is set via th
 | `KRB5_KDC_HOST` | *(required)* | FQDN of this KDC, used by clients and in service ticket names |
 | `KRB5_MASTER_PASSWORD` | *(required on first start)* | Database master key — set once, cannot be changed without destroying the database |
 | `KRB5_ADMIN_PRINCIPAL` | `admin` | Name of the bootstrap admin principal |
-| `KRB5_ADMIN_PASSWORD` | *(required on first start)* | Password for `<admin>/admin@<REALM>` |
+| `KRB5_ADMIN_PASSWORD` | *(required on first start)* | Password for `<admin>@<REALM>` |
 
 Copy `env.example` to `~/app-data/kerberos/kerberos.env` and fill in real values before first run.
 
+### Admin principal naming
+
+By default the bootstrap principal is created as `admin@REALM` — a flat, UPN-style name. This is the value of `KRB5_ADMIN_PRINCIPAL` used verbatim.
+
+MIT Kerberos also supports the traditional `primary/instance` convention, where the `/admin` instance signals administrative intent. If you prefer that style, set the full name in the variable:
+
+```
+KRB5_ADMIN_PRINCIPAL=slawek/admin
+```
+
+This creates `slawek/admin@REALM` and grants it full kadmin rights via the ACL. Either form works — it is purely a naming preference.
+
 > **Important:** `KRB5_MASTER_PASSWORD` and `KRB5_ADMIN_PASSWORD` are only required on first start. Once the realm is initialised (the database file exists in the volume), these variables are not read and can be removed from the env file for enhanced security. The master password cannot be changed without wiping the `kerberos_data` volume and reinitialising the realm, which invalidates all issued tickets and keytabs.
 
 ## Build
diff --git a/entrypoint.sh b/entrypoint.sh
index 7e79314..5c624da 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -47,14 +47,14 @@ EOF
 EOF
 
     cat > /var/lib/krb5kdc/kadm5.acl <<EOF
-${ADMIN_PRINCIPAL}/admin@${REALM} *
+${ADMIN_PRINCIPAL}@${REALM} *
 EOF
 
     cp /var/lib/krb5kdc/krb5.conf /etc/krb5.conf
 
     echo "Initializing Kerberos realm ${REALM}..."
     KRB5_KDC_PROFILE=/var/lib/krb5kdc/kdc.conf kdb5_util create -s -P "${MASTER_PASSWORD}" -r "${REALM}"
-    KRB5_KDC_PROFILE=/var/lib/krb5kdc/kdc.conf kadmin.local -q "addprinc -pw ${ADMIN_PASSWORD} ${ADMIN_PRINCIPAL}/admin@${REALM}"
+    KRB5_KDC_PROFILE=/var/lib/krb5kdc/kdc.conf kadmin.local -q "addprinc -pw ${ADMIN_PASSWORD} ${ADMIN_PRINCIPAL}@${REALM}"
     echo "Realm initialized."
 else
     echo "Realm already initialized, skipping."