In short we have a very large, stateless environment. We are currently in the process of converting to RHEL in order to receive support. The size of our environment makes force joining on boot a nightmare even though it worked in testing. I have spoken with our RH rep and the advice we received from the IDM team, via our rep, was to retrieve the host keytab on boot for registered machines. We are aware of the risks involved but need a solution that allows 8k plus hosts to boot without completely overloading the FreeIPA cluster. With the available documentation I cannot find a way to allow the service account we will be using to retrieve all host keytabs. As you can imagine, explicitly allowing for each host would a tedious process and prone to error. 

Thanks in advance for any responses.
--