Intended for: Kerberos users
Scenario/Use case:
This article provides information for users who have pre-existing account names and/or an email address at Fermilab, and for whom the guidelines in Kerberos Principals and Passwords are not straightforward to follow.
Instructions:
Guidelines for Choosing a Kerberos Principal
In Kerberos Principals and Passwords, we provided the following guidelines for choosing a Kerberos principal and system login ids:
- New principals should be chosen to be eight or fewer characters, and may include a variety of characters. Please use only lowercase letters and any digits 0 through 9. Do not use uppercase letters or any special characters in principal names.
- (New users) Choose one login id (account name) common to all systems at Fermilab that you use, and use this id also as your Kerberos principal name.
If you have pre-existing accounts which make the above guidelines hard to follow, here are further guidelines:
- If your existing primary system login name (UNIX and/or Windows) is eight or fewer characters, then use this login name for your Kerberos principal. Notes:
- If your email address and your primary login name do not match, choose the login name as your principal, not your email address. The Computing Sector will reserve this login name for you as an email address name. You may continue to use your existing email address on the mail server for a limited time (not yet specified); please transition to the new one. Separate forwards for the two will not be supported.
- If your primary login name has ever been used as an email address by an individual besides yourself, you must choose a different name for your Kerberos principal. In fact you will need to relinquish the old login name on each system as it becomes Kerberized.
- If your primary login name is longer than eight characters, then you can choose between the following two options:
- Choose a new name that is eight characters or less, and use it both as your principal and as a new, common login name for all systems. In this case you will have to move or rename your current accounts and files.
- Go ahead and use the long login name as your principal, but be aware that you will very likely have difficulty using some UNIX resources, and the problems may be hard to diagnose. For example, Solaris currently does not accept login names longer than eight characters.
If your Principal and Login Name do not Match
If your principal does not match your login name, then you need to be aware of the following:
- When connecting over the network (ssh, rlogin, rsh, telnet, etc.) you'll always have to give the -l <login_name> option (or login_name@host:... for rcp and scp), and there will have to be a .k5login file in your home directory that lists your principal (see section The .k5login File).
- If using a RSA SecueID token (described in Using RSA SecureID Token), you must initially log in to a system on which your login id matches the username you registered when acquiring the RSA SecureID. If there are no systems for which this is true, you will not be able to log in with the RSA SecureID Token. However, RSA SecureId Tokens are almost always available via the FNALU gateway system. For connecting from the initial machine to a second machine with a different login id, see the above note.