FreeIPA and Raspbian

I've gotten used to having freeipa-client available in dnf or apt repos, so I've rarely setup clients manually. However, I did today in Raspbian on my Raspberry Pi. I wanted to document it here mainly for my own memory. It was extremely straightforward but there were a couple tweaks needed. (In this doc "" replaces my domain).

On the Pi install sssd, libnss-sss, libpam-sss, openssh-server krb5-user, and krb5-config.

On the FreeIPA server:

$ kinit admin

$ ipa host-add --ip-address=

$ ipa host-add-managedby

$ ipa-getkeytab -s -p host/ -k /tmp/pi.keytab

$ scp /tmp/pi.keytab pi:/etc/krb5.keytab

This mostly took care of it but the SSSD conf file needed to be configured. I had an old config from another server that needed to be "upgraded" using this script leaving me with this in /etc/sssd/sssd.conf:

config_file_version = 2


cache_credentials = True  
krb5_store_password_if_offline = True  
ipa_domain =  
id_provider = ipa  
auth_provider = ipa  
access_provider = ipa  
ipa_hostname =  
chpass_provider = ipa  
ipa_server = _srv_,  
ldap_tls_cacert = /etc/ipa/ca.crt  
services = nss, sudo, pam, ssh

domains =  
homedir_substring = /home






Then, in FreeIPA's web interface, I went to Authentication > Certificates and open up CN=Certificate Authority,O=EXAMPLE.COM (serial number 1 in my case), copied the certificate value, and pasted it into /etc/ipa/ca.crt on my Pi.

I then opened /etc/ssh/sshd_config and changed GSSAPIAuthentication to "yes". Once I restarted SSSD and SSH, everything worked like a charm