Rob, I do that, but currently when I upgrade my FreeIpa cluster I lose all the last login timestamps. After the upgrade ipa user-status shows them all to be the value N/A.
I upgrade my three-node cluster (in AWS) by: 1. Removing node 0 as a replica 2. Redeploying node 0 with an updated AMI that has the latest versions of the OS and FreeIPA 3. Re-adding node 0 to the cluster as a replica 4. Repeat for node 1 5. Repeat for node 2 When my script to disable inactive users kicks off it looks like all the users were created months or years ago but never logged in, so they all get disabled. How do I get the last login timestamps to persist across upgrades? Thanks, Shane On Wed, May 28, 2025, 4:14 PM Rob Crittenden <[email protected]> wrote: > Shane Frasier via FreeIPA-users wrote: > > Hello, > > > > Apologies for reviving an old thread, but I was wondering if there is > > any way to turn this replication on for our local FreeIPA cluster? I'd > > like to use the krbLastAuthentication data to disable inactive users, > > but the timestamps are reset every time I upgrade the cluster. > > To enable it you need to remove "KDC:Disable Last Success" from the > password plugin feature configuration. > > By default it is: > > Password plugin features: AllowNThash, KDC:Disable Last Success > > You can drop it using something like: > > ipa config-mod --ipaconfigstring AllowNThash > > You only need to do this on one server. The change will replicate to the > others. > > Note that depending on how many authentications you have you'll notice > the additional replication. It will most likely be worse in the mornings. > > To re-enable it you use a similar command: > > ipa config-mod --ipaconfigstring={AllowNThash,"KDC:Disable Last Success"} > > rob > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
