Paulina Budzoń via FreeIPA-users wrote: > For reference to @freeipa-users, since I very much don’t like open > threads that moved to private and were left unanswered. > > Big thanks to Alexander for helping with debugging. It seems we are > affected by https://pagure.io/freeipa/issue/9228. To confirm this: we > don’t have much in terms of Kerberos logs on the IPA server that the > host initially enrolled to, but we can see "PAC issue: > ipadb_get_principal failed” and "TGT has been revoked” errors for this > host in Kerberos logs on the second IPA in this region, which I > understand is a typical sign of this issue. > > > @Alexander - do you know if forcing —server to ipa-client-install would > help as a temporary work-around to force the installation to only use a > specific server?
I think it should help. The downside is that the resulting configuration will be pinned to that one server. You'd need to go in afterward and manually tweak the configuration on each client to use DNS discovery again (at least krb5.conf and sssd.conf). rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue