When using the freeipa_register snippet to provision a RHEL7 system, the client DOES get joined to the IPA realm, but the certmonger request seems to be failing and 'dns_lookup_kdc' gets set to false in /etc/krb5.conf which causes the client to point directly to one IPA domain controller instead of using DNS.

After provisioning, I can manually run the 'ipa-client-install' command with the same parameters and everything works fine - certmonger and dns_lookup_kdc are set correctly.

Here is the log snippet generated by ipa-client-install during the KS:

Complete!
Discovery was successful!
Hostname: rhel7b02.corp.follett.com
Realm: QA-UNIX.FOLLETT.COM
DNS Domain: qa-unix.follett.com
IPA Server: imqa-d1-dc01.qa-unix.follett.com
BaseDN: dc=qa-unix,dc=follett,dc=com
Synchronizing time with KDC...
Downloading the CA certificate via HTTP, this is INSECURE
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=QA-UNIX.FOLLETT.COM
Issuer: CN=Certificate Authority,O=QA-UNIX.FOLLETT.COM
Valid From: Tue Jul 29 19:17:32 2014 UTC
Valid Until: Sat Jul 29 19:17:32 2034 UTC

Enrolled in IPA realm QA-UNIX.FOLLETT.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm QA-UNIX.FOLLETT.COM
trying https://imqa-d1-dc01.qa-unix.follett.com/ipa/xml
Forwarding 'ping' to server 'https://imqa-d1-dc01.qa-unix.follett.com/ipa/xml'
Forwarding 'env' to server 'https://imqa-d1-dc01.qa-unix.follett.com/ipa/xml'
certmonger request for host certificate failed
Forwarding 'host_mod' to server 'https://imqa-d1-dc01.qa-unix.follett.com/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Unable to find 'admin' user with 'getent passwd admin@qa-unix.follett.com'!
Recognized configuration: SSSD
Client configuration complete.