Realm (FreeIPA) integration failing

I have configured the realm proxy as per the docs at Foreman :: Manual
I created a freeipa user using foreman-prepare-realm again as set out in the docs, which is created fine. I have triple checked the realm.yml and realm_freeipa.yml to ensure they are correct. I have created the realm in the foreman ui, and all looks good (the “Realm” feature is visible in smart proxies section and shows no failed features).

I would expect newly provisioned hosts to join the configured realm, but I can’t even provision a machine if the realm is set, I get an error as shown below.

Foreman 1.22,

The docs suggest chowning the freeipa.keytab file to foreman-proxy. I have tried this, and setting perms to 0666, to no effect.

production.log shows:

[ProxyAPI::ProxyException]: Unable to create realm entry ([RestClient::BadRequest]: 400 Bad Request) for proxy

The httpd error log on the freeipa server shows:

 [auth_gssapi:error] [pid 2833] [client] NO AUTH DATA Client did not send any authentication headers, referer:

Spent about 5 hours looking at this yesterday I’m thinking it must be a bug at this point.