Ales Rozmarin via FreeIPA-users wrote:
Hi guys,
I'm not sure if this is ok or not. I have two freeipa servers and when user get
locked I can see this only on one server. I check ipa-healthcheck and both servers working
OK. Do I have to change any settings for that or this is how system works? In future
I'm planing to add few more servers and I think when user will get locked won't be
very convinent to go through 4-5 server to find locked user.
I'm running IPA 4.10.2 on Rocky 9.3.
I read post from 7 years ago that is in system but I wonder if anything changed since
then?
Replicating success/failures is expensive. It was enabled early on and
the impact was noticeable.
You can use the ipa user-status command to determine which system(s) a
user is locked out on.
Alternatively if you remove krblastsuccessfulauth and krblastfailedauth
from the replication agreements exclude list they will replicate. You'd
have to do this manually on every existing and future server.
Also lastsuccessfulauth is not retained unless you remove "KDC:Disable
Last Success" from the config string. ipa config-mod --ipaconfigstring ...
As mentioned, this is strongly discouraged.
rob