Ainsworth, Thomas wrote:

We have been running FreeIPA 3.0 with a replica host for months now and
love it.  I discovered what I _/*believe*/_ is an anomaly pertaining to
the sync'ing between the replica host and the server.  We have our
maximum failures set to three (3).  We also have each ipa-client
configured to point to the server then the replica in the
/etc/sssd/sssd.conf file.  If I open up a terminal window to the server
and replica, and execute a "watch -n 1 'ipa user-status test'" I can see
the status of the user "test" on a one second boundary.  Now, if I
connect to the server and purposely fail the password, I get a failure
on both the server and replica.  If I try it again and authenticate
correctly, the failures clear to zero on the server but the replica
still displays the failures and does not clear.  There may be more
conditions where things do not sync across, but this is the first I have
discovered.  If I modify the attributes of a user or host on the server,
the modification reflects almost immediately on the replica.  Like I
stated, this is the first sync'ing issue I have discovered.

Currently login failures (and success) are not replicated between machines due to anticipated performance issues (MIT Kerberos does the same).

We have an RFE to investigate this further:


Freeipa-users mailing list

Reply via email to