Shane Frasier via FreeIPA-users wrote:
> Hello,
>
> Apologies for reviving an old thread, but I was wondering if there is
> any way to turn this replication on for our local FreeIPA cluster? I'd
> like to use the krbLastAuthentication data to disable inactive users,
> but the timestamps are reset every time I upgrade the cluster.
To enable it you need to remove "KDC:Disable Last Success" from the
password plugin feature configuration.
By default it is:
Password plugin features: AllowNThash, KDC:Disable Last Success
You can drop it using something like:
ipa config-mod --ipaconfigstring AllowNThash
You only need to do this on one server. The change will replicate to the
others.
Note that depending on how many authentications you have you'll notice
the additional replication. It will most likely be worse in the mornings.
To re-enable it you use a similar command:
ipa config-mod --ipaconfigstring={AllowNThash,"KDC:Disable Last Success"}
rob
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
