9 The .k5identity file, which resides in a user's home directory,
10 contains a list of rules for selecting a client principals based on
11 the server being accessed. These rules are used to choose a
12 credential cache within the cache collection when possible.
14 Blank lines and lines beginning with ``#`` are ignored. Each line has
17 *principal* *field*\=\ *value* ...
19 If the server principal meets all of the field constraints, then
20 principal is chosen as the client principal. The following fields are
24 If the realm of the server principal is known, it is matched
25 against *value*, which may be a pattern using shell wildcards.
26 For host-based server principals, the realm will generally only be
27 known if there is a :ref:`domain_realm` section in
28 :ref:`krb5.conf(5)` with a mapping for the hostname.
31 If the server principal is a host-based principal, its service
32 component is matched against *value*, which may be a pattern using
36 If the server principal is a host-based principal, its hostname
37 component is converted to lower case and matched against *value*,
38 which may be a pattern using shell wildcards.
40 If the server principal matches the constraints of multiple lines
41 in the .k5identity file, the principal from the first matching
42 line is used. If no line matches, credentials will be selected
43 some other way, such as the realm heuristic or the current primary
50 The following example .k5identity file selects the client principal
51 ``alice@KRBTEST.COM`` if the server principal is within that realm,
52 the principal ``alice/root@EXAMPLE.COM`` if the server host is within
53 a servers subdomain, and the principal ``alice/mail@EXAMPLE.COM`` when
54 accessing the IMAP service on ``mail.example.com``::
56 alice@KRBTEST.COM realm=KRBTEST.COM
57 alice/root@EXAMPLE.COM host=*.servers.example.com
58 alice/mail@EXAMPLE.COM host=mail.example.com service=imap
64 kerberos(1), :ref:`krb5.conf(5)`