Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 12. Managing Kerberos principal aliases for users, hosts, and services

Manage Kerberos principal aliases for users, hosts, and services in Identity Management (IdM) to enable authentication with alternative names. Aliases allow users to log in with multiple names, such as a previous username or an email address.

When you create a new user, host, or service, a Kerberos principal in the following format is automatically added:

  • user_name@REALM
  • host/host_name@REALM
  • service_name/host_name@REALM

Administrators can enable users, hosts, or services to authenticate against Kerberos applications using an alias. This is beneficial in the following scenarios:

  • The user name changed and the user wants to log in using both the previous and new user name.
  • The user needs to log in using the email address even if the IdM Kerberos realm differs from the email domain.

Note that if you rename a user, the object keeps the aliases and the previous canonical principal name.

12.1. Adding a Kerberos principal alias
Copiar o link

You can associate alias names with existing Kerberos principals in an Identity Management (IdM) environment. This enhances security and simplifies authentication processes within the IdM domain.

Procedure

  • To add the alias name useralias to the account user, enter: 

    # ipa user-add-principal <user> <useralias>
--------------------------------
Added new aliases to user "user"
--------------------------------
         User login: user
    Principal alias: user@IDM.EXAMPLE.COM, useralias@IDM.EXAMPLE.COM

    To add an alias to a host or service, use the ipa host-add-principal or ipa service-add-principal command respectively instead.

    If you use an alias name to authenticate, use the -C option with the kinit command: 

    # kinit -C <useralias>
Password for <user>@IDM.EXAMPLE.COM:

12.2. Removing a Kerberos principal alias
Copiar o link

Remove principal Kerberos aliases from users, hosts, or services to clean up authentication credentials after organizational changes.

Procedure

  • To remove the alias useralias from the account user, enter: 

    # ipa user-remove-principal <user> <useralias>
--------------------------------
Removed aliases from user "user"
--------------------------------
  User login: user
  Principal alias: user@IDM.EXAMPLE.COM

    To remove an alias from a host or service, use the ipa host-remove-principal or ipa service-remove-principal command respectively instead.

    Note that you cannot remove the canonical principal name: 

    # ipa user-show <user>
  User login: user
  ...
  Principal name: user@IDM.EXAMPLE.COM
  ...

# ipa user-remove-principal user user
ipa: ERROR: invalid 'krbprincipalname': at least one value equal to the canonical principal name must be present

12.3. Adding a Kerberos enterprise principal alias
Copiar o link

Associate enterprise principal alias names with Kerberos principals in Identity Management (IdM) to provide flexible authentication options across different domains. With this, users can authenticate by using alternative domain suffixes while maintaining a single identity. 

Enterprise principal aliases can use any domain suffix except for user principal name (UPN) suffixes, NetBIOS names, or domain names of trusted Active Directory forest domains.

Procedure

  • To add the enterprise principal alias user@example.com to the user account: 

    # ipa user-add-principal <user> <user\\@example.com>
--------------------------------
Added new aliases to user "user"
--------------------------------
         User login: user
    Principal alias: user@IDM.EXAMPLE.COM, user\@example.com@IDM.EXAMPLE.COM

    To add an enterprise alias to a host or service, use the ipa host-add-principal or ipa service-add-principal command respectively instead.

    Note

    When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\\). Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the following error: 

    ipa: ERROR: The realm for the principal does not match the realm for this IPA server.

    If you use an enterprise principal name to authenticate, use the -E option with the kinit command: 

    # kinit -E <user@example.com>
Password for user\@example.com@IDM.EXAMPLE.COM:

12.4. Removing a Kerberos enterprise principal alias
Copiar o link

Remove enterprise principal aliases from users, hosts, or services to clean up authentication credentials after organizational changes.

Procedure

  • To remove the enterprise principal alias user@example.com from the account user, enter: 

    # ipa user-remove-principal <user> <user\\@example.com>
--------------------------------
Removed aliases from user "user"
--------------------------------
  User login: user
  Principal alias: user@IDM.EXAMPLE.COM

    To remove an alias from a host or service, use the ipa host-remove-principal or ipa service-remove-principal command respectively instead.

    Note

    When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\\). Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the following error: 

    ipa: ERROR: The realm for the principal does not match the realm for this IPA server
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2026 Red HatVoltar ao topo