A client in the Kerberos service is identified by its principal. A principal is a unique identity to which the KDC can assign tickets. A principal can be a user, such as jdoe, or a service, such as nfs.
By convention, a principal name is divided into three components: the primary, the instance, and the realm. A typical Kerberos principal would be, for example, jdoe/admin@CORP.EXAMPLE.COM. In this example:
jdoe is the primary. The primary can be a user name, as shown here, or a service, such as nfs. The primary can also be the word host, which signifies that this principal is a service principal that is set up to provide various network services, ftp, scp, ssh, and so on.
admin is the instance. An instance is optional in the case of user principals but is required for service principals. For example, if the user jdoe sometimes acts as a system administrator, the principal jdoe/admin can distinguish the administrator from the user identity. Likewise, if jdoe has accounts on two different hosts, the accounts can use two principal names with different instances, for example, jdoe/denver.example.com and jdoe/boston.example.com. Notice that the Kerberos service treats jdoe and jdoe/admin as two completely different principals.
In the case of a service principal, the instance is the fully qualified host name. bigmachine.corp.example.com is an example of such an instance. The primary/instance for this example might be ftp/bigmachine.corp.example.com or host/bigmachine.corp.example.com.
CORP.EXAMPLE.COM is the Kerberos realm. Realms are discussed in Kerberos Realms.
The following are all valid principal names:
jdoe
jdoe/admin
jdoe/admin@CORP.EXAMPLE.COM
nfs/host.corp.example.com@CORP.EXAMPLE.COM
host/corp.example.com@CORP.EXAMPLE.COM