FreeIPA - client/replica errors

hi, free IPA everyone?

I wanted to ask if you maybe seen below errors. I'm trying

$ ipa-client-install --principal=admin
--password="ccnR.Biotec13#diradm" --enable-dns-updates

and it fails:

   Valid From:  2018-01-09 16:51:35
    Valid Until: 2038-01-09 16:51:35

Please make sure the following ports are opened in the
firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client
working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Failed to obtain host TGT: Major (851968): Unspecified GSS
failure. Minor code may provide more information, Minor
(2529638936): Preauthentication failed
Installation failed. Rolling back changes.
Unconfigured automount client failed: Command
'ipa-client-automount --uninstall --debug' returned non-zero
exit status 1
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was
moved to /etc/sssd/sssd.conf.deleted
Client uninstall complete.
The ipa-client-install command failed. See
/var/log/ipaclient-install.log for more information

It's not time sync problem, server & client candidate are in
sync. Simple install, server installed okey but client fails
as above.

Does your IPA VERSION: 4.5.0, API_VERSION: 2.228 install
okey, with no problems?

many thanks, L.