Scenario:
It is entirely possible to be running IPA server v4.x servers, yet be running a smart proxy that has IPA admintools for v3.x. This is the case for RHEL as follows:

RHEL 7.1 => IPA server v4.x
RHEL 6 / 7.0 => IPA server v3.x

In this case, `foreman-prepare-realm` detects `PERMISSION_SYSTEM=v1`, because the criteria is based on whether or not `ipa --version | grep 'VERSION'` produces any results. If the smart proxy is using IPA admintools for v3.x, the script will then attempt to setup the IPA privilege with permissions based on the IPA server v3.x scheme even if IPA server v4.x is what's being communicated with.

Proposal:
Use another method for actually detecting what IPA server version we're communicating with. For example:
Note: Verified that this is available in IPA v3.x/v4.x

$ ipa ping
-------------------------------------------
IPA server version 4.1.0. API version 2.112
-------------------------------------------

So, using this, perhaps the following changes to `foreman-prepare-realm` would be acceptable:

@@ -23,22 +23,22 @@
 [ ! -z $2 ] || usage

 SERVER=$(grep server /etc/ipa/default.conf | cut -f2 -d"=")

-if ipa --version 2>&1 | grep -q 'VERSION'
-then
-  PERMISSION_SYSTEM=v2
-else
-  PERMISSION_SYSTEM=v1
-fi
-
 if [ -z $SERVER ];
 then
   SERVER=$(grep host /etc/ipa/default.conf | cut -f2 -d"=")
 fi

 kinit $1 || die "Could not get kerberos credentials" 

+if ipa ping | grep -qo 'IPA server version 4'
+then
+  PERMISSION_SYSTEM=v2
+else
+  PERMISSION_SYSTEM=v1
+fi
+
 ipa privilege-add 'Smart Proxy Host Management' --desc='Smart Proxy Host Management'

 if [ "$PERMISSION_SYSTEM" == "v1" ];
 then

The IPA admintools v3.x can communicate properly with IPA server v4.x, at least in the context of the API calls made within `foreman-prepare-realm`.