Cloud-init based provision does not ask for OTP from realm


I am trying to install VM (Ubuntu 22.04) using cloud-init method (from ISO). Katello/Foreman does not asks for one time password during Rebuild/Install.
VM installs sucessfully and enrolls to IDM/Freeipa if i set it manually in IDM/Freeipa and provide to VM in Foreman.
There is no info in proxy/server logs regarding otp asking.
Basically i am using same installiation method as described here.

Strange that when i am using regular kickstart, preseed intalliation method or host rebuild, everything works fine and foreman asks OTP from IDM/Freeipa and enrolls server automatically. It only does not work with cloud-init method i metioned before.

I am using three templates:

  • PXELinux template - nothing special, regular template with initrd and vmlinuz etc. locations.
  • Cloud-init template - again nothing special a bit custom.
  • Finish template - It is where i am defining what to install.
    So i tried to use freeipa_register snippet in both locations ( Finish template and Cloud-init template) and build/rebuild host, still foreman doest even ask OTP from IDM server.

Can you tell me what i am missing here or describe how it basically works during host rebuild in foreman?
Is it possible to force foreman ask otp somehow?
If it is not possible with cloud-init + foreman maybe you can suggest api call or something to “automate” VM enrollment?

Katello version: 4.5.1
Foreman version: 3.3.1

Let me know if you need additional info.