Description of problem:
If I integrate with IdM in RHEL 7, and use a user-data template to configure my system, my system is not enrolled in IdM. I end up with this in my user-data (on my new machine)

/usr/sbin/ipa-client-install -w '$HOST[OTP]' --realm=REDHAT.LAB -U $idm_mkhomedir $idm_opts $idm_server $idm_ssh

and thus with an error

Nov 7 16:33:52 localhost cloud-init: Successfully retrieved CA cert
Nov 7 16:33:52 localhost cloud-init: Subject: CN=Certificate Authority,O=REE
DHAT.LAB
Nov 7 16:33:52 localhost cloud-init: Issuer: CN=Certificate Authority,O=REE
DHAT.LAB
Nov 7 16:33:52 localhost cloud-init: Valid From: Tue Sep 06 13:01:52 2016 UTC
Nov 7 16:33:52 localhost cloud-init: Valid Until: Sat Sep 06 13:01:52 2036 UTC
Nov 7 16:33:52 localhost cloud-init: Joining realm failed: Incorrect password.
Nov 7 16:33:52 localhost cloud-init: Installation failed. Rolling back changes.
Nov 7 16:33:52 localhost cloud-init: IPA client is not configured on this systee
m.

Version-Release number of selected component (if applicable):
6.2.3

How reproducible:

Steps to Reproduce:
1. Create new image, configure for user-data
2. Configure Satellite for idm integration (follow docs :))
3. Create new host

Actual results:
See the above error, system listed not enrolled in idm (so satellite actually did create the object in idm)

Expected results:
system is enrolled, i can log in

Additional info: