Ales Rozmarin via FreeIPA-users wrote: > Hi guys, > > I'm not sure if this is ok or not. I have two freeipa servers and when user > get locked I can see this only on one server. I check ipa-healthcheck and > both servers working OK. Do I have to change any settings for that or this is > how system works? In future I'm planing to add few more servers and I think > when user will get locked won't be very convinent to go through 4-5 server to > find locked user. > I'm running IPA 4.10.2 on Rocky 9.3. > > I read post from 7 years ago that is in system but I wonder if anything > changed since then?
Replicating success/failures is expensive. It was enabled early on and the impact was noticeable. You can use the ipa user-status command to determine which system(s) a user is locked out on. Alternatively if you remove krblastsuccessfulauth and krblastfailedauth from the replication agreements exclude list they will replicate. You'd have to do this manually on every existing and future server. Also lastsuccessfulauth is not retained unless you remove "KDC:Disable Last Success" from the config string. ipa config-mod --ipaconfigstring ... As mentioned, this is strongly discouraged. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
