1. log in as admin
sudo su
kinit admin
2. generate the service entry on the domain
ipa service-add http/cockpit.local.test
3. get the keytab for service
ipa-getkeytab -p HTTP/cockpit.local.test@LOCAL.TEST -k /etc/cockpit/krb5.keytab
4. check it
klist -k /etc/cockpit/krb5.keytab
5. in case of firefox, change the properties:
network.automatic-ntlm-auth.trusted-uris true
network.automatic-ntlm-auth.trusted-uris .local.test