This site requires JavaScript to be enabled



2.0 - Updated on 2021-02-23 by Carlos Salazar

1.0 - Authored on 2014-05-08 by Fang Wang

Kerberos Principals and Passwords


Intended for:

Kerberos users.


Scenario/Use case:

This article provides instructions on how to choose and obtain a Kerberos principal and a Kerberos password.



Your Kerberos Principal

As a user, you need to obtain a Kerberos Principal (actually one for each realm, FNAL.GOV and FERMI.WIN.FNAL.GOV), to access machines and resources at Fermilab. A principal is essentially a username for the strengthened realm. Your principals will have the same username, and be of the form principal_name@REALM (e.g., joe@FNAL.GOV and joe@FERMI.WIN.FNAL.GOV). You must have a valid Fermilab ID.

In addition to a principal, you must have an account on each machine that you plan to use in the realm. There are significant conveniences if your principal and your account name are the same, as we discuss in the section below, Choosing a Principal Name.

The system administrator of a strengthened machine may require that authorized users obtain a <username>/root instance of their Kerberos principal to access sensitive accounts on the system. The root instance has tighter restrictions placed on it (see section Ticket Management). If your system administrator tells you it's required, use the form Access to Kerberized Machines in the Service Catalog of ServiceNow.

Choosing a Principal Name

The Service Desk assigns principal names based on the following scheme - first letter of the first name followed by the last name - with the result truncated to 8 characters.

Requesting a Principal

Use the online form Computing Username and Primary Accounts in the ServiceNew Service Catalog: Computing Username and Primary Accounts.

About Kerberos Passwords

Once your request for a principal has been approved, you must stop by Wilson Hall, ground floor, North (the Service Desk) to receive your initial Kerberos password. An exception is granted for off-site visitors: you can get it over the telephone (630-840-2345); you will be asked a question to verify your identity.

You are required to change the initial password within 30 days of receipt, and once a year (actually every 400 days) thereafter.

Important! Please Read!

Please treat your Kerberos password as an inviolable object. Never give your password to anybody for any reason. Doing so constitutes a policy violation. If you really need to give someone access to your account (this practice is discouraged, by the way), add the person's principal to your .k5login or .k5users file as described in section Account Access by Multiple Users.

Typing in your Kerberos password should ideally be done infrequently (i.e., no more than once each day). Do not type it in carelessly. Please authenticate locally and forward your credentials to remote systems whenever possible.

Windows domain-only users: type your password only at the Windows login prompt.

Choosing a Kerberos Password

In contrast to the principal (which ideally should match your login name on each machine and your email address), your Kerberos password must be unique. That is, in order to avoid exposing your Kerberos password, it must be different from the passwords you use for any other purpose (with the single exception that you may use the same one for both strengthened realms at Fermilab, namely FNAL.GOV and FERMI.WIN.FNAL.GOV).

While using the same password for the Kerberos Realm and for the FERMI Windows Domain is allowed, do NOT use this same password for your SERVICES Domain. The reason for this restriction is that some of the uses of the SERVICES Domain authentication have a greater propensity for causing your password to be exposed which can result in your account being disabled pending a password reset.

The Fermilab Computer Security Team has imposed some restrictions on passwords in accordance with DOE guidelines. Currently, a password for the FNAL.GOV strengthened realm is required to contain a minimum of ten characters from at least two of the following five classes: lowercase letters, uppercase letters, numbers, punctuation, and all other characters. Passwords for /root principals must contain a minimum of 11 characters including at least three of the five classes. Passwords the system considers "bad" will be rejected. (Passwords are checked against the "cracklib" dictionary, which will often surprise you by its thoroughness.) See How to change your Kerberos password for a summary of the requirements on passwords.

Choose something that's hard to guess but that you can remember, and please make an effort to remember it!!


Changing your Kerberos Password

A few notes before moving to the platform-specific instructions:

See the KnowledgeBase article How to change your Kerberos password for detailed instructions on changing your Kerberos password.


See Also: