How Kerberos Works - Red Hat LINUX 7.2 Reference Manual

Section 8.4:How Kerberos Works
A file that includes an unencrypted list of principals and their keys. Servers retrieve the
keys they need from keytab files instead of using kinit.
/etc/krb5.keytab. The kadmind command is the only service that uses any other file
(it uses /var/kerberos/krb5kdc/kadm5.keytab).
plaintext
Unencrypted data.
principal
A user or service that can authenticate using Kerberos. A principal's name is in the form
"root[/instance]@REALM". For a typical user, the root is the same as their login ID. The in-
stance is optional. If the principal has an instance, it is separated from the root with a forward
slash ("/"). An empty string ("") is actually a valid instance (which differs from the default,
NULL instance), but using it can be confusing. All principals in a realm have their own key,
which is derived from their password (for users) or randomly set (for services).
realm
A network that uses Kerberos, composed of one or a few servers (also known as KDCs) and a
potentially very large number of clients.
service
A program or computer accessed over the network.
ticket
A temporary set of electronic credentials that verify the identity of a client for a particular ser-
vice.
Ticket Granting Service (TGS)
Issues tickets for a desired service that are used by the user to actually gain access to the service.
The TGS usually runs on the same host as the KDC.
Ticket Granting Ticket (TGT)
A special ticket which allows the client to obtain additional tickets without applying for them
from the KDC.

8.4 How Kerberos Works

Now that you have heard a few of the terms that Kerberos uses, here is a simplified explanation of how
a Kerberos authentication system works:
The default keytab file is
141