Jose and I exchanged some files privately and I think I've narrowed down the enrollment problem to failing to get a keytab due to the error:
Failed to retrieve encryption type DES cbc mode with CRC-32 (#1)
This is because newer IPA servers don't support DES.
I don't recall the workaround for this but it likely involves enabling weak crypto support it the KDC, something I'm not sure works these days (not a bad thing).
I seem to recall I made a patch to ipa-getkeytab eons ago to cause it to not completely fail as long as one requested key type is retrieved by ipa-getkeytab but it seems unlikely to have been backported to EL 5 (and zero chance at this point).
Not sure what to recommend at this point. Enabling DES is not the best idea.
You could follow the manual client configuration instructions instead.
rob