Update: I just tried to deploy the overcloud with a modified t-h-t content, and applying this patch[1] for correct access to the keytab. While it did create a lot of things in the IPA, it failed a bit later while trying to get service certificates. For instance: Could not get certificate: Execution of '/usr/bin/getcert request -I mysql -f /etc/pki/tls/certs/mysql.crt -c IPA -N CN=oc0-controller0.internalapi.mydomain.tld -K mysql/oc0-contr oller0.internalapi.mydomain.tld -D overcloud.internalapi.mydomain.tld -D oc0-controller0.internalapi.mydomain.tld -w -k /etc/pki/tls/private/mysql.key' returned 3: New signing request \"mysql\" added. <13>Jul 21 13:17:36 puppet-user: Error: /Stage[main]/Tripleo::Certmonger::Mysql/Certmonger_certificate[mysql]: Could not evaluate: Could not get certificate: Server at https://lab-nat-vm.mydomain.tld/ipa/xml failed request, will retry: 4001 (RPC failed at server. The host 'oc0-controller0.internalapi.mydomain.tld' does not exist to add a service to.) After a quick check, here are the hosts I can see in IPA: sudo ipa host-find --raw | grep krbcanonicalname krbcanonicalname: