Shane Frasier via FreeIPA-users wrote: > Hi Rob, > > When I perform step 1 I use, e.g.: > ipa server-del --ignore-topology-disconnect ipa0.<domain> > for id in $(ipa cert-find --sizelimit=0 --status=VALID > --subject=ipa0.<domain> | grep "Serial number:" | sed "s/^\ *Serial number: > //"); do ipa cert-revoke $id --revocation-reason=5; done > ipa-replica-manage del ipa0.<domain> > > It occurred to me that perhaps the "ipa server-del" command is overly > aggressive and causing the last authentication timestamps to be deleted. > Should I drop that step? Would I then need to un-join ipa0 from the domain > after the "ipa-replica-manage" command? > > If the process for this sort of in situ upgrade is documented someplace then > feel free to simply point me there. I searched but didn't find it.
As I've said before, IPA doesn't systematically delete user attributes upon on removing a server or upgrading a server. It would generate a literal storm of replication events which is something we try hard to avoid. Since this is reproducible for you I'd suggest you enabling audit logging on a server you plan to keep. Verify that the last authentication date exists in at least some user entries, then setup a new replica and remove it using your process. You should see MOD for all those users. It may help you identify the source. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
