On Wed, Jul 5, 2017 at 7:28 PM Rob Crittenden <rcritten@redhat.com> wrote:
Pieter Baele via FreeIPA-users wrote:
> No, only "fresh" and updated RHEL 7.3 hosts.

Ok, you were the one that brought up re-installing...

> Connections are being made, but still ipa-client install.
> Can't wait forever on a solution of RH Support, they have/had no clue at
> all, so I'll reinstall - yet the issue intrigues me a bit.
Y
You haven't provided any information here that would allow us to help.

rob



Yes indeed, I was the one that brought up reinstalling 2 of our hosts.

I have a deadline, so there is no choice. Those are 2 management hosts we need.
Also I never got a request, "please, this looks intriguing for us at well" ....
I could have reinstalled right away instead of trying to debug the ipa registration process. But all my other 99% similar hosts registered without a problem..... 
We lost precious time also because I had to explain that the engineer was looking in the wrong direction. Not something a customer should do (!). 

But I am still interested in what happened and in IPA in general, hope there is nothing wrong with that?

Thats why I also submitted some limited information to the mailinglist.  It is not the first time a mailinglist or IRC is more direct.... instead of going to several support people first.

As demanded I provided an strace as well, and it was clear that the freeipa-client-install was hanging at the point as explained before.

No explanations from logs and traces IMO.
The only thing that was changed on those 2 hosts was the hostname - but BEFORE the install of the client. Which was also misunderstood by the way....

-- Pieter


>
> On Mon, Jul 3, 2017 at 4:53 PM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
>     Pieter Baele via FreeIPA-users wrote:
>     > Hi,
>     >
>     > I've a weird problem with 2 hosts on ipa-client-install registration.
>     > All my servers are using a 99% alike kickstart profile.
>     >
>     > 8 hosts did their registration almost immediately (after submit of
>     admin)
>     >
>     > But on 2 servers I am stuck with:
>     > stderr=
>     > trying to retrieve CA cert via LDAP from ....
>     >
>     > Any idea what the reason could be? I checked: DNS, firewall
>     > But all verifications and discovery before this step are successful.
>     >
>     > It's only possible I did a ipa-client-uninstall on those hosts before.
>     > (not 100% sure)
>     >
>
>     Shouldn't matter unless you are running an ancient version of RHEL 6.x.
>
>     I'd start with the 389-ds access log and the KDC log on the IPA master
>     and see if connections are being made at all, and with what results.
>
>     rob
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>