Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/5413 Users sometimes prefer to use emails or other alises when they authenticate. In some environments it is a requirement to be able to authenticate with an email address. We already have a ticket to allow aliases for hosts and services #1365. This ticket calls for the similar functionality but for users.
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/de6abc7af2dac7994b0fff4396115320d1a9a54d https://fedorahosted.org/freeipa/changeset/e6fc8f84d3ad5fc4c030ad592a3d743c02393439 https://fedorahosted.org/freeipa/changeset/974eb7b5efd20ad2195b0ad578637ab31f4c1df4 https://fedorahosted.org/freeipa/changeset/c2af032c0333f7e210c54369159d1d9f5e3fec74 https://fedorahosted.org/freeipa/changeset/d1517482b5e9508780087ec48be63a5bb531fed9 https://fedorahosted.org/freeipa/changeset/7e803aa4625869ef6a8e78a09cd99270c4cc77e5 https://fedorahosted.org/freeipa/changeset/750a392fe22aa8ddcb21077e8c24b96d36ecf20c https://fedorahosted.org/freeipa/changeset/a28d312796839e3413c98ee37d34ccc892e85357 https://fedorahosted.org/freeipa/changeset/e6ff83e3610d553f6ff98e3adbfbe3c6984b2f17 https://fedorahosted.org/freeipa/changeset/acf2234ebc8609a35a8f45598d5d817cbdbff121
this bz was part of rebase to 4.4
I have removed '-C' from the "kinit as enterprise principal" part of doctext since according to kinit man page: """ -E treats the principal name as an enterprise name (implies the -C option). """ so "-E" automatically requests principal canonicalization. Otherwise LGTM.
Verified on ipa-server-4.4.0-7.el7: # ipa user-add tuser --first test --last user --password Password: Enter Password again to verify: ------------------ Added user "tuser" ------------------ User login: tuser First name: test Last name: user Full name: test user Display name: test user Initials: tu Home directory: /home/tuser GECOS: test user Login shell: /bin/sh Principal name: tuser@TESTRELM Principal alias: tuser@TESTRELM Email address: tuser@testrelm.test UID: 1669000001 GID: 1669000001 Password: True Member of groups: ipausers Kerberos keys available: True [root@auto-hv-02-guest08 ~]# kinit tuser Password for tuser@TESTRELM: Password expired. You must change it now. Enter new password: Enter it again: # kinit admin Password for admin@TESTRELM: # ipa user-add-principal tuser talias talias\\@ent.test --------------------------------- Added new aliases to user "tuser" --------------------------------- User login: tuser Principal alias: talias@TESTRELM, talias\@ent.test@TESTRELM, tuser@TESTRELM # kinit talias Password for talias@TESTRELM: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_5ks0oe9 Default principal: tuser@TESTRELM Valid starting Expires Service principal 08/21/2016 23:38:33 08/22/2016 23:38:30 krbtgt/TESTRELM@TESTRELM # kinit -C talias Password for talias@TESTRELM: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_OhZfJlN Default principal: tuser@TESTRELM Valid starting Expires Service principal 08/21/2016 23:39:00 08/22/2016 23:38:54 krbtgt/TESTRELM@TESTRELM # kinit talias\\@ent.test Password for talias\@ent.test@TESTRELM: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_2HXMy3a Default principal: tuser@TESTRELM Valid starting Expires Service principal 08/21/2016 23:40:02 08/22/2016 23:39:59 krbtgt/TESTRELM@TESTRE # kinit -E talias@ent.test Password for talias\@ent.test@TESTRELM: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_JEDF6Xy Default principal: tuser@TESTRELM Valid starting Expires Service principal 08/21/2016 23:40:37 08/22/2016 23:40:34 krbtgt/TESTRELM@TESTRELM
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html