Fix admin principal naming convention in README and entrypoint script
This commit is contained in:
@@ -37,10 +37,22 @@ The container's hostname must match `KRB5_KDC_HOST` exactly — it is set via th
|
||||
| `KRB5_KDC_HOST` | *(required)* | FQDN of this KDC, used by clients and in service ticket names |
|
||||
| `KRB5_MASTER_PASSWORD` | *(required on first start)* | Database master key — set once, cannot be changed without destroying the database |
|
||||
| `KRB5_ADMIN_PRINCIPAL` | `admin` | Name of the bootstrap admin principal |
|
||||
| `KRB5_ADMIN_PASSWORD` | *(required on first start)* | Password for `<admin>/admin@<REALM>` |
|
||||
| `KRB5_ADMIN_PASSWORD` | *(required on first start)* | Password for `<admin>@<REALM>` |
|
||||
|
||||
Copy `env.example` to `~/app-data/kerberos/kerberos.env` and fill in real values before first run.
|
||||
|
||||
### Admin principal naming
|
||||
|
||||
By default the bootstrap principal is created as `admin@REALM` — a flat, UPN-style name. This is the value of `KRB5_ADMIN_PRINCIPAL` used verbatim.
|
||||
|
||||
MIT Kerberos also supports the traditional `primary/instance` convention, where the `/admin` instance signals administrative intent. If you prefer that style, set the full name in the variable:
|
||||
|
||||
```
|
||||
KRB5_ADMIN_PRINCIPAL=slawek/admin
|
||||
```
|
||||
|
||||
This creates `slawek/admin@REALM` and grants it full kadmin rights via the ACL. Either form works — it is purely a naming preference.
|
||||
|
||||
> **Important:** `KRB5_MASTER_PASSWORD` and `KRB5_ADMIN_PASSWORD` are only required on first start. Once the realm is initialised (the database file exists in the volume), these variables are not read and can be removed from the env file for enhanced security. The master password cannot be changed without wiping the `kerberos_data` volume and reinitialising the realm, which invalidates all issued tickets and keytabs.
|
||||
|
||||
## Build
|
||||
|
||||
Reference in New Issue
Block a user