diff --git a/pinecrypt/client/cli.py b/pinecrypt/client/cli.py
index c310430..a5e052f 100644
--- a/pinecrypt/client/cli.py
+++ b/pinecrypt/client/cli.py
@@ -62,7 +62,8 @@ class ConfigTreeParser(ConfigParser):
 @click.command("provision", help="Add endpoint to Certidude client config")
 @click.argument("authority")
 @click.option("-m", "--method", help="Force connection method")
-def certidude_provision(authority, method):
+@click.option("-k", "--kerberos", default=False, is_flag=True, help="Offer system keytab for auth")
+def certidude_provision(authority, method, kerberos):
     client_config = ConfigParser()
     try:
         os.makedirs(os.path.dirname(const.CLIENT_CONFIG_PATH))
@@ -76,7 +77,7 @@ def certidude_provision(authority, method):
         click.echo("Section '%s' added to %s" % (authority, const.CLIENT_CONFIG_PATH))
         b = os.path.join(os.path.join(const.CONFIG_DIR, "authority", authority))
         client_config.add_section(authority)
-        client_config.set(authority, "trigger", "interface up")
+        client_config.set(authority, "trigger", "domain joined" if kerberos else "interface up")
         client_config.set(authority, "common name", "$HOSTNAME")
         client_config.set(authority, "request path", os.path.join(b, "host_req.pem"))
         client_config.set(authority, "key path", os.path.join(b, "host_key.pem"))
@@ -298,6 +299,10 @@ def certidude_enroll(fork, no_wait, kerberos):
                 }
             }
 
+            # TODO: oh so exploitable
+            # TODO: don't read this from stored JSON
+            replica_name = bootstrap["hostname"]
+
             # If machine is joined to domain attempt to present machine credentials for authentication
             if kerberos:
                 try:
@@ -306,23 +311,25 @@ def certidude_enroll(fork, no_wait, kerberos):
                     click.echo("Kerberos bindings not available, please install requests-kerberos")
                 else:
                     os.environ["KRB5CCNAME"] = "/tmp/ca.ticket"
-
-                    # Mac OS X has keytab with lowercase hostname
-                    cmd = "kinit -S HTTP/%s -k %s$" % (authority_name, const.HOSTNAME.lower())
+                    # Fedora /w SSSD and Ubuntu /w Samba have keytab with uppercase hostname
+                    cmd = "kinit -S HTTP/%s -k %s$" % (replica_name, const.HOSTNAME.upper())
                     click.echo("Executing: %s" % cmd)
                     if os.system(cmd):
-                        # Fedora /w SSSD has keytab with uppercase hostname
-                        cmd = "kinit -S HTTP/%s -k %s$" % (authority_name, const.HOSTNAME.upper())
+                        # Mac OS X has keytab with lowercase hostname
+                        cmd = "kinit -S HTTP/%s -k %s$" % (replica_name, const.HOSTNAME.lower())
+                        click.echo("Executing: %s" % cmd)
                         if os.system(cmd):
                             # Failed, probably /etc/krb5.keytab contains spaghetti
                             raise ValueError("Failed to initialize Kerberos service ticket using machine keytab")
+                    # TODO: better error reporting, kinit returns 1 for both: if replica name is not found or
+                    # client is not found in Kerberos database
                     assert os.path.exists("/tmp/ca.ticket"), "Ticket not created!"
                     click.echo("Initialized Kerberos service ticket using machine keytab")
                     kwargs["auth"] = HTTPKerberosAuth(mutual_authentication=OPTIONAL, force_preemptive=True)
             else:
                 click.echo("Not using machine keytab")
 
-            request_url = "https://%s:8443/api/request/" % authority_name
+            request_url = "https://%s:8443/api/request/" % replica_name
             if request_params:
                 request_url = request_url + "?" + "&".join(request_params)