It is natural for people who know kerberos to include the realm name in the principal name when requesting one from ipa-addservice. Currently it will fail if the realm is included. What we should do instead is drop the realm silently if it matches the IPA realm. It will make for a much nicer user experience.
Created attachment 298290 [details] allow realm to be included in add_service_principal() call
Fix verified: [root@jennyv3 ~]# ipa-addservice nfs/jennyv4.bos.redhat.com.COM [root@jennyv3 ~]# ipa-findservice jennyv4.bos.redhat.com host/jennyv4.bos.redhat.com.COM ssh/jennyv4.bos.redhat.com.COM nfs/jennyv4.bos.redhat.com.COM