Unable to login to Linux after changing eUPN of the user

  • 303 Views
  • Last Post 21 January 2017
nidhin_ck posted this 20 January 2017

Hi Experts,

In pur environment we have changed eUPN of few users so that they eUPN and email address are matching. But after this change those users are unable to login to Linux machine which is using ad credentials to login. 

Previously eUPN & iUPN where same and there was no issues. Did anyone faced this issue before. I'm not a Linux guy but our Linux team is unable to fix this issue. So if i get any input i can fwd to them to make the changes in their configuration file


Regards,
Nidhin CK

Order By: Standard | Newest | Votes
barkills posted this 20 January 2017

I’m lost. What is a eUPN and an iUPN?

 

According to MSDN, I believe IUPN is the universal plug and play API interface. But I don’t think that’s what you are talking about

at all.


 

I know what a UPN is. Ah … I think you are talking about the implicit UPN and an explicit UPN.

 

We set explicit UPNs that are different than the implicit UPN and have unix domain joined computers. I’ll see if I can’t find an example config file others here

have shared.

 

Brian

 

show

daemonr00t posted this 20 January 2017

On top of Brian’s comments… was there a change in the domain portion of the UPN? (after the @).

Just wondering as this you might need to update the ktab files too…

 

~danny CS


Sent from Mail for Windows 10

 

show

nidhin_ck posted this 20 January 2017

Hi Brian & Danny,




Yes im referring to implicit UPN and explicit UPN.  Here we changed the explicit UPN to match with our email address. 




Before this change our implicit and explicit UPN were same for eg:- nidhin@xxxxxxxxxxxxxxxx Now we have changed our explicit UPN to nidhin.ck@xxxxxxxxxxxxxxxx so that it will match with our email address




After the above change Linux authentication stopped working. 







Regards,


Nidhin CK











show

barkills posted this 20 January 2017

What method are these folks using to do the linux authentication integration?



 

As I understand it, there are quite a few approaches. Here, our AD support folks are challenged to unravel the seemingly spaghetti-like nature of the different

possible approaches because unix isn’t our forte. So we ended up trying to capture the ones we heard our customers share. Those are documented here:

https://wiki.cac.washington.edu/x/nCwJB

 

I don’t know how much of it would translate to your environment, but it might be helpful. I guess at a minimum it might be helpful to know that there isn’t a

single way to do unix -> AD integration.

 

Brian

 

show

nidhin_ck posted this 20 January 2017

Thanks a lot Brian! I will check this with our team. 




Regards,


Nidhin CK











show

jeremyts posted this 21 January 2017

Nice reference Brian! I reference those Red Hat whitepapers every time I do a Linux integration. They really give you the pros and cons to help with decisions.

 

What’s the style of integration Nidhin? Winbind, sssd, etc?

 

If you’re using sssd, you may need to change the “krb5realm” in the sssd.conf and/or krb5.conf, or remove the ldapuser_principal = userPrincipalName line

in the sssd.conf. I’ve never tried it with an alternate UPN that doesn’t match the domain FQDN, but there is a section on potential problems here that has a good explanation:



https://thornelabs.net/2014/01/30/authenticate-rhel-5-and-6-sssd-using-kerberos-and-ldap-against-active-directory-on-windows-server-2008-r2.html

 

Also set the debug level to 5 for pam in the sssd.conf file. The debug logs should give you some valid info that you can use to help locate the issue.

 

I’ve never used Winbind, so I can’t help you there. But I think it would be something similar.

 

Cheers,

Jeremy



 

show

Close