So i'm trying to add FreeRADIUS as a service to my IPA setup.  I"ve added the service using --force and i'm trying to get the keytab for it but getting the following error:

[root@asm-rancid02 keytabs]# ipa-getkeytab -s asm-rancid02.mgt.asm.borg.local. -p radius/asm-rancid02.mgt.asm.borg.local -k /etc/krb5.keytab

Unable to initialize STARTTLS session

Failed to bind to server!

Retrying with pre-4.0 keytab retrieval method...

Unable to initialize STARTTLS session

Failed to bind to server!

Failed to get keytab

[root@asm-rancid02 keytabs]#

Do I need to generate a keytab first?  Should this be generated when I add the server to the domain/realm?