Thank you @Jochen for the detailed answer. This however doesn't answer my question.
When you run your playbook on the freeipa server/replica do you get kerberos
authentication? can you log into the cockpit ui and the freeipa ui without a password
prompt?