Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

20.2. Managing Kerberos Principal Aliases for Users, Hosts, and Services

When you create a new user, host, or service, a Kerberos principal in the following format is automatically added:
  • user_name@REALM
  • host/host_name@REALM
  • service_name/host_name@REALM
In some scenarios, it is beneficial for the administrator to enable users, hosts, or services to authenticate against Kerberos applications using an alias, for example:
  • The user name changed, but the user should be able to login using both the previous and new user name.
  • The user needs to log in using the email address even if the IdM Kerberos realm differs from the email domain.
Note that if you rename a user, the object keeps the aliases and the previous canonical principal name.

20.2.1. Kerberos Principal Alias
Copia collegamento

Adding a Kerberos Principal Alias

To add the alias name useralias to the account user, enter: 
[root@ipaserver ~]# ipa user-add-principal user useralias
--------------------------------
Added new aliases to user "user"
--------------------------------
         User login: user
    Principal alias: user@IDM.EXAMPLE.COM, useralias@IDM.EXAMPLE.COM
Copy to Clipboard Toggle word wrap
To add an alias to a host or service, use the ipa host-add-principal or ipa service-add-principal command respectively instead.
If you use an alias name to authenticate, pass the -C option to the kinit command: 
[root@ipaserver ~]# kinit -C useralias
Password for user@IDM.EXAMPLE.COM:
Copy to Clipboard Toggle word wrap

Removing a Kerberos Principal Alias

To remove the alias useralias from the account user, enter: 
[root@ipaserver ~]# ipa user-remove-principal user useralias
--------------------------------
Removed aliases from user "user"
--------------------------------
  User login: user
  Principal alias: user@IDM.EXAMPLE.COM
Copy to Clipboard Toggle word wrap
To remove an alias from a host or service, use the ipa host-remove-principal or ipa service-remove-principal command respectively instead.
Note that you cannot remove the canonical principal name: 
[root@ipaserver ~]# ipa user-show user
  User login: user
  ...
  Principal name: user@IDM.EXAMPLE.COM
  ...

[root@ipaserver ~]# ipa user-remove-principal user user
ipa: ERROR: invalid 'krbprincipalname': at least one value equal to the canonical principal name must be present
Copy to Clipboard Toggle word wrap

20.2.2. Kerberos Enterprise Principal Alias
Copia collegamento

Enterprise principal aliases can use any domain suffix except for user principal name (UPN) suffixes, NetBIOS names, or domain names of trusted Active Directory forest domains.
Note
When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\\). Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the following error: 
ipa: ERROR: The realm for the principal does not match the realm for this IPA server
Copy to Clipboard Toggle word wrap

Adding a Kerberos Enterprise Principal Alias

To add the enterprise principal alias user@example.com to the user account: 
[root@ipaserver ~]# ipa user-add-principal user user\\@example.com
--------------------------------
Added new aliases to user "user"
--------------------------------
         User login: user
    Principal alias: user@IDM.EXAMPLE.COM, user\@example.com@IDM.EXAMPLE.COM
Copy to Clipboard Toggle word wrap
To add an enterprise alias to a host or service, use the ipa host-add-principal or ipa service-add-principal command respectively instead.
If you use an enterprise principal name to authenticate, pass the -E option to the kinit command: 
[root@ipaserver ~]# kinit -E user@example.com
Password for user\@example.com@IDM.EXAMPLE.COM:
Copy to Clipboard Toggle word wrap

Removing a Kerberos Enterprise Principal Alias

To remove the enterprise principal alias user@example.com from the account user, enter: 
[root@ipaserver ~]# ipa user-remove-principal user user\\@example.com
--------------------------------
Removed aliases from user "user"
--------------------------------
  User login: user
  Principal alias: user@IDM.EXAMPLE.COM
Copy to Clipboard Toggle word wrap
To remove an alias from a host or service, use the ipa host-remove-principal or ipa service-remove-principal command respectively instead.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat