On Mon, Jul 22, 2019 at 07:26:19AM -0400, Chris Dagdigian via FreeIPA-users wrote:
Hi folks,
Environment: AWS-based FreeIPA cluster with it's own unique realm/domain
that is bound to the AD domain of the real
COMPANY.COM and a fairly complex
forest
We have a functional FreeIPA system at the moment where AD users from
COMPANY.COM can login
- via <crypticshortname>(a)CHILD-DOMAIN.COMPANY.COM on older systems
- via <crypticshortname>(a)COMPANY.COM on newer systems with fresh SSSD (thank
you AD search domains, heh!)
But we've gotten word from AD admins that they want to change the UPN from
<crypticshortname> to "<firstname>.<lastname>(a)company.com"
and although I
did not witness it supposedly when they made the change, all SSH logins to
our FreeIPA managed systems broke.
All logins or logins of the users that changed their UPN format? Do you
use the UPN to log in or do you use the samaccountname@domain login
format and still the login breaks?
I'm still not 100% convinced that things broke and we'll be testing more
this week --- but now I'm motivated to try to get ahead of any potential
problems ...
Looking for documentation and URLS to read or general tips and advice
regarding any impact or changes needed on FreeIPA when the UPN on Active
Directory changes format.
In particular:
- What happens to existing IPA user groups of type "external" when we've
listed those AD usernames via their <shortname>(a)CHILD-DOMAIN.COMPANY.com
and the UPN is now different? Do we have to go update/change/fix all of our
external users? If so, do those changes propagate into all of the other
RBAC rules or are we looking at an entire rebuild/reset of our RBAC and user
environment?
I don't think so, the links are stored as SIDs, which should remain the
same..
- Any FreeIPA changes or settings to look at or alter when UPN changes
format?
As long as the UPN suffic was already known, I would /hope/ that you
shouldn't need to do anything. The only thing that comes to mind might
be to expire the caches, at least on the IPA masters. Otherwise the
clients, even if their cache is expired, might fetch the old UPN from
the masters and try to use that..
>
> I'm probably missing other major questions to ask so any other tips or
> advice would be appreciated.
>
> Regards
> Chris
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...