No, only "fresh" and updated RHEL 7.3 hosts.

Connections are being made, but still ipa-client install.

Can't wait forever on a solution of RH Support, they have/had no clue at all, so I'll reinstall - yet the issue intrigues me a bit.

On Mon, Jul 3, 2017 at 4:53 PM Rob Crittenden <rcritten@redhat.com> wrote:

Pieter Baele via FreeIPA-users wrote:
> Hi,
>
> I've a weird problem with 2 hosts on ipa-client-install registration.
> All my servers are using a 99% alike kickstart profile.
>
> 8 hosts did their registration almost immediately (after submit of admin)
>
> But on 2 servers I am stuck with:
> stderr=
> trying to retrieve CA cert via LDAP from ....
>
> Any idea what the reason could be? I checked: DNS, firewall
> But all verifications and discovery before this step are successful.
>
> It's only possible I did a ipa-client-uninstall on those hosts before.
> (not 100% sure)
>

Shouldn't matter unless you are running an ancient version of RHEL 6.x.

I'd start with the 389-ds access log and the KDC log on the IPA master
and see if connections are being made at all, and with what results.

rob