Shane Frasier wrote: > Rob, > > I do that, but currently when I upgrade my FreeIpa cluster I lose all > the last login timestamps. After the upgrade ipa user-status shows them > all to be the value N/A.
That doesn't make sense. IPA definitely does not wipe data from user entries on upgrade. I can see an upgrade attempting to set the password plugin defaults and wiping out configuration changes but I can't replicate this behavior. You could, for example, enable the 389-ds audit log then run the upgrade. This would show whether changes were made. rob > I upgrade my three-node cluster (in AWS) by: > 1. Removing node 0 as a replica > 2. Redeploying node 0 with an updated AMI that has the latest versions > of the OS and FreeIPA > 3. Re-adding node 0 to the cluster as a replica > 4. Repeat for node 1 > 5. Repeat for node 2 > > When my script to disable inactive users kicks off it looks like all the > users were created months or years ago but never logged in, so they all > get disabled. How do I get the last login timestamps to persist across > upgrades? > > Thanks, > Shane > > On Wed, May 28, 2025, 4:14 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Shane Frasier via FreeIPA-users wrote: > > Hello, > > > > Apologies for reviving an old thread, but I was wondering if there is > > any way to turn this replication on for our local FreeIPA > cluster? I'd > > like to use the krbLastAuthentication data to disable inactive users, > > but the timestamps are reset every time I upgrade the cluster. > > To enable it you need to remove "KDC:Disable Last Success" from the > password plugin feature configuration. > > By default it is: > > Password plugin features: AllowNThash, KDC:Disable Last Success > > You can drop it using something like: > > ipa config-mod --ipaconfigstring AllowNThash > > You only need to do this on one server. The change will replicate to the > others. > > Note that depending on how many authentications you have you'll notice > the additional replication. It will most likely be worse in the > mornings. > > To re-enable it you use a similar command: > > ipa config-mod --ipaconfigstring={AllowNThash,"KDC:Disable Last > Success"} > > rob > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
