Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

20.2. Managing Kerberos Principal Aliases for Users, Hosts, and Services

When you create a new user, host, or service, a Kerberos principal in the following format is automatically added:
  • user_name@REALM
  • host/host_name@REALM
  • service_name/host_name@REALM
In some scenarios, it is beneficial for the administrator to enable users, hosts, or services to authenticate against Kerberos applications using an alias, for example:
  • The user name changed, but the user should be able to login using both the previous and new user name.
  • The user needs to log in using the email address even if the IdM Kerberos realm differs from the email domain.
Note that if you rename a user, the object keeps the aliases and the previous canonical principal name.

20.2.1. Kerberos Principal Alias
Copiar enlace

Adding a Kerberos Principal Alias

To add the alias name useralias to the account user, enter: 
[root@ipaserver ~]# ipa user-add-principal user useralias
--------------------------------
Added new aliases to user "user"
--------------------------------
         User login: user
    Principal alias: user@IDM.EXAMPLE.COM, useralias@IDM.EXAMPLE.COM
Copy to Clipboard Toggle word wrap
To add an alias to a host or service, use the ipa host-add-principal or ipa service-add-principal command respectively instead.
If you use an alias name to authenticate, pass the -C option to the kinit command: 
[root@ipaserver ~]# kinit -C useralias
Password for user@IDM.EXAMPLE.COM:
Copy to Clipboard Toggle word wrap

Removing a Kerberos Principal Alias

To remove the alias useralias from the account user, enter: 
[root@ipaserver ~]# ipa user-remove-principal user useralias
--------------------------------
Removed aliases from user "user"
--------------------------------
  User login: user
  Principal alias: user@IDM.EXAMPLE.COM
Copy to Clipboard Toggle word wrap
To remove an alias from a host or service, use the ipa host-remove-principal or ipa service-remove-principal command respectively instead.
Note that you cannot remove the canonical principal name: 
[root@ipaserver ~]# ipa user-show user
  User login: user
  ...
  Principal name: user@IDM.EXAMPLE.COM
  ...

[root@ipaserver ~]# ipa user-remove-principal user user
ipa: ERROR: invalid 'krbprincipalname': at least one value equal to the canonical principal name must be present
Copy to Clipboard Toggle word wrap

20.2.2. Kerberos Enterprise Principal Alias
Copiar enlace

Enterprise principal aliases can use any domain suffix except for user principal name (UPN) suffixes, NetBIOS names, or domain names of trusted Active Directory forest domains.
Note
When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\\). Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the following error: 
ipa: ERROR: The realm for the principal does not match the realm for this IPA server
Copy to Clipboard Toggle word wrap

Adding a Kerberos Enterprise Principal Alias

To add the enterprise principal alias user@example.com to the user account: 
[root@ipaserver ~]# ipa user-add-principal user user\\@example.com
--------------------------------
Added new aliases to user "user"
--------------------------------
         User login: user
    Principal alias: user@IDM.EXAMPLE.COM, user\@example.com@IDM.EXAMPLE.COM
Copy to Clipboard Toggle word wrap
To add an enterprise alias to a host or service, use the ipa host-add-principal or ipa service-add-principal command respectively instead.
If you use an enterprise principal name to authenticate, pass the -E option to the kinit command: 
[root@ipaserver ~]# kinit -E user@example.com
Password for user\@example.com@IDM.EXAMPLE.COM:
Copy to Clipboard Toggle word wrap

Removing a Kerberos Enterprise Principal Alias

To remove the enterprise principal alias user@example.com from the account user, enter: 
[root@ipaserver ~]# ipa user-remove-principal user user\\@example.com
--------------------------------
Removed aliases from user "user"
--------------------------------
  User login: user
  Principal alias: user@IDM.EXAMPLE.COM
Copy to Clipboard Toggle word wrap
To remove an alias from a host or service, use the ipa host-remove-principal or ipa service-remove-principal command respectively instead.
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat