Excursus to principals
Kerberos objects that can be authenticated are called principals. Principals consist of three parts:
primary/instance@realm
We already know what a realm is (or could be), but what are primary and instance? From the manpage of kerberos we learn, that the primary is usually a username or a service. The instance is usually null in case of a username, then the principal can be written as:
username@realm
In our case the instance is admin which denotes that we only want to select users that are in a "privileged instance". In case of a service, the instance is usually a hostname:
service/hostname@realm