I just tested kickstart FreeIPA domain join (with the 'realm' kickstart directive) on 21 Alpha TC6 (against a server also running 21 Alpha TC6). It fails near the end of the join process with a Python traceback originating from ipa-client-install which ends in "ImportError: No module named backports.ssl_match_hostname" . The issue is that freeipa-client should depend on python-backports-ssl_match_hostname , the package that provides this module. This dependency was actually added (entirely without notice in the changelog or commit message :/) in freeipa 4.0.2-1: http://pkgs.fedoraproject.org/cgit/freeipa.git/commit/?id=694ce2174a848dd36cb3a184dc2d2957e19259c8 but as Alpha is frozen, that build will not come in without a blocker or FE bug. Hence I'm filing this, and proposing it as a release blocker, under https://fedoraproject.org/wiki/Fedora_21_Alpha_Release_Criteria#Remote_authentication : "It must be possible to join the system to a FreeIPA or Active Directory domain at install time and post-install, and the system must respect the identity, authentication and access control configuration provided by the domain." this violates the "at install time" portion of that criterion.
I confirmed that installing with updates-testing enabled solves this bug (as it brings in the newer freeipa-client which has the dependency).
*** This bug has been marked as a duplicate of bug 1135516 ***