There is currently no way to know, but the Disable Stale Users proposal could be extended to any principal including the host ones. https://github.com/freeipa/freeipa/blob/master/doc/designs/disable-stale-use... The timestamp precision would be coarse but that would clearly match the use-case.

François

On Tue, Dec 10, 2019 at 12:07 PM Master Blaster via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:

Nothing? No ideas?

How do large organizations with 1000s of hosts handle this? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...

On ti, 10 joulu 2019, Master Blaster via FreeIPA-users wrote:

Thanks for the response, François.

I'm somewhat surprised there isn't a way to determine both host and user activity already.

For hosts, doesn't the Kerberos ticket have to be renewed on a regular basis? Couldn't that timestamp be used?

Yes. You still need to collect that information somehow. We do not update the time stamp right now at all by default because of a replication storm concerns. Once DSU feature is implemented, a coarse time stamp will updated for each principal.