For reference to @freeipa-users, since I very much don’t like open threads that moved to
private and were left unanswered.
Big thanks to Alexander for helping with debugging. It seems we are affected by
https://pagure.io/freeipa/issue/9228 <
https://pagure.io/freeipa/issue/9228>. To
confirm this: we don’t have much in terms of Kerberos logs on the IPA server that the host
initially enrolled to, but we can see "PAC issue: ipadb_get_principal failed” and
"TGT has been revoked” errors for this host in Kerberos logs on the second IPA in
this region, which I understand is a typical sign of this issue.
@Alexander - do you know if forcing —server to ipa-client-install would help as a
temporary work-around to force the installation to only use a specific server?