After some more searching, I see that the client contacts the AD domain controller, asking for AAA record, then connects to the AD forest controller, which is _not_ reachable due to firewall filters. Does ipa-client always need to contact the root DC for a krb ticket (guess this is what is attempted here)?