6:26 a.m.
Hi folks,
Environment: AWS-based FreeIPA cluster with it's own unique
realm/domain that is bound to the AD domain of the real COMPANY.COM and
a fairly complex forest
We have a functional FreeIPA system at the moment where AD users from
COMPANY.COM can login
- via <crypticshortname>(a)CHILD-DOMAIN.COMPANY.COM on older systems
- via <crypticshortname>(a)COMPANY.COM on newer systems with fresh SSSD
(thank you AD search domains, heh!)
But we've gotten word from AD admins that they want to change the UPN
from <crypticshortname> to
"<firstname>.<lastname>(a)company.com" and
although I did not witness it supposedly when they made the change, all
SSH logins to our FreeIPA managed systems broke.
I'm still not 100% convinced that things broke and we'll be testing more
this week --- but now I'm motivated to try to get ahead of any
potential problems ...
Looking for documentation and URLS to read or general tips and advice
regarding any impact or changes needed on FreeIPA when the UPN on Active
Directory changes format.
In particular:
- What happens to existing IPA user groups of type "external" when we've
listed those AD usernames via their
<shortname>(a)CHILD-DOMAIN.COMPANY.com and the UPN is now different? Do
we have to go update/change/fix all of our external users? If so, do
those changes propagate into all of the other RBAC rules or are we
looking at an entire rebuild/reset of our RBAC and user environment?
- Any FreeIPA changes or settings to look at or alter when UPN changes
format?
I'm probably missing other major questions to ask so any other tips or
advice would be appreciated.
Regards
Chris