Hi folks,
Environment: AWS-based FreeIPA cluster with it's own unique realm/domain that is bound to the AD domain of the real COMPANY.COM and a fairly complex forest
We have a functional FreeIPA system at the moment where AD users from COMPANY.COM can login
- via <crypticshortname>@CHILD-DOMAIN.COMPANY.COM on older systems
- via <crypticshortname>@COMPANY.COM on newer systems with fresh SSSD (thank you AD search domains, heh!)
But we've gotten word from AD admins that they want to change the UPN from <crypticshortname> to "<firstname>.<lastname>@company.com" and although I did not witness it supposedly when they made the change, all SSH logins to our FreeIPA managed systems broke.
I'm still not 100% convinced that things broke and we'll be testing more this week --- but now I'm motivated to try to get ahead of any potential problems ...
Looking for documentation and URLS to read or general tips and advice regarding any impact or changes needed on FreeIPA when the UPN on Active Directory changes format.
In particular:
- What happens to existing IPA user groups of type "external" when we've listed those AD usernames via their <shortname>@CHILD-DOMAIN.COMPANY.COM and the UPN is now different? Do we have to go update/change/fix all of our external users? If so, do those changes propagate into all of the other RBAC rules or are we looking at an entire rebuild/reset of our RBAC and user environment?
- Any FreeIPA changes or settings to look at or alter when UPN changes format?
I'm probably missing other major questions to ask so any other tips or advice would be appreciated.
Regards Chris
On Mon, Jul 22, 2019 at 07:26:19AM -0400, Chris Dagdigian via FreeIPA-users wrote:
Hi folks,
Environment: AWS-based FreeIPA cluster with it's own unique realm/domain that is bound to the AD domain of the real COMPANY.COM and a fairly complex forest
We have a functional FreeIPA system at the moment where AD users from COMPANY.COM can login
via <crypticshortname>@CHILD-DOMAIN.COMPANY.COM on older systems
via <crypticshortname>@COMPANY.COM on newer systems with fresh SSSD (thank
you AD search domains, heh!)
But we've gotten word from AD admins that they want to change the UPN from <crypticshortname> to "<firstname>.<lastname>@company.com" and although I did not witness it supposedly when they made the change, all SSH logins to our FreeIPA managed systems broke.
All logins or logins of the users that changed their UPN format? Do you use the UPN to log in or do you use the samaccountname@domain login format and still the login breaks?
I'm still not 100% convinced that things broke and we'll be testing more this week --- but now I'm motivated to try to get ahead of any potential problems ...
Looking for documentation and URLS to read or general tips and advice regarding any impact or changes needed on FreeIPA when the UPN on Active Directory changes format.
In particular:
- What happens to existing IPA user groups of type "external" when we've
listed those AD usernames via their <shortname>@CHILD-DOMAIN.COMPANY.COM and the UPN is now different? Do we have to go update/change/fix all of our external users? If so, do those changes propagate into all of the other RBAC rules or are we looking at an entire rebuild/reset of our RBAC and user environment?
I don't think so, the links are stored as SIDs, which should remain the same..
- Any FreeIPA changes or settings to look at or alter when UPN changes
format?
As long as the UPN suffic was already known, I would /hope/ that you shouldn't need to do anything. The only thing that comes to mind might be to expire the caches, at least on the IPA masters. Otherwise the clients, even if their cache is expired, might fetch the old UPN from the masters and try to use that..
I'm probably missing other major questions to ask so any other tips or advice would be appreciated.
Regards Chris
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Chris Dagdigian -
Jakub Hrozek