Unfortunately, can't see anything suspicious in krb5kdc.log Multiple hosts request TGT in NEEDED_PREAUTH:host/<hostname> - ISSUE dialogs.
No errors and 'admin' is not encountered anywhere.
I'm having a concern that older machines could have been enrolled (ipa-client) with admin user. Could you suggest where i can check this setting on the client machines and modify if needed? Thanks.