Request for enhancement

Our team uses IPA on all of our environments, including dev, test, enterprise test, and production operations - our customer requires account inactivity enforcement, which does not appear to be a feature with ipa-server-4.5.4-10.el7.x86_64. I need the krbLastSucessfulAuth date/timestamp to reflect the last actual authentication consistently between masters so I can accurately determine the last time a user has authenticated on the domain in one place, on either master, and ideally not have to query both (or 'n' masters) to determine the most recent login.
- Alternative flags to query to obtain account inactivity are welcome
- Option to query secondary master for value to compare locally on primary master is welcome but not a long term solution

Issue

krbLastSuccessfulAuth is inconsistent between IPA masters

Steps to Reproduce

1.ipa user-show --all --raw <user> | grep krbLastSuccessfulAuth on each IPA Master
2.
3.

Actual behavior

Inconsistent date/times are returned from each IPA Master

Expected behavior

Latest account authentication date/times on the domain are immediately and consistently returned from any IPA Server.

Version/Release/Distribution

Masters: ipa-server-4.5.4-10.el7.x86_64 // Redhat-v7.5

Additional info:

This system is on a closed area network that is not connected to the Internet, so cutting and pasting configuration and command outputs to/from this system is not possible.

Domain contains 65 clients, majority have been joined to the primary master. IPA Client versions are split between the following, majority are currently Centos-v6.9:

ipa-client-4.5.4-10.el7.x86_64 (Redhat-v7.5)
ipa-client-3.0.0-51.el6.centos.x86_64 (Centos-v6.9)