I ran "ipa host-add --force somehost.local --random --ip-address=10.3.48.197" on the server

Then tried to run "ipa-client-install --domain local --server 172.16.0.5 -w '<random password>' --hostname=somehost.local -U --mkhomedir" on the client

The error returned was "Joining realm failed: Incorrect password."

Looking at the 389 access logs (thanks rcrit), I saw the following:

[10/Aug/2016:14:55:15 +0000] conn=238619 fd=233 slot=233 SSL connection from 10.3.48.197 to 172.16.0.5
[10/Aug/2016:14:55:15 +0000] conn=238619 TLS1.2 128-bit AES-GCM
[10/Aug/2016:14:55:15 +0000] conn=238619 op=-1 fd=233 closed - B1

The error returned was obscure, but hinted at an SSL problem. When I provided the fqdn of the IPA server to ipa-client-install (in --server), the installation worked.

It seems like the client failed to trust the server when the ip was provided, even though in this case, a PTR lookup of the ip would have resolved to the fqdn in the CN of the cert that 389 provides (I verified that in this case).

So if the client install did a reverse lookup and used that hostname to verify the server, that would fix some of the potential problems with providing an ip to --server, but for clients that can't do reverse lookups yet because they're relying on the client-install to setup resolv.conf, it would be nice to pass a flag that disables the CN fqdn check that the SSL library is doing (not sure if that's even possible).