I’ve gotten used to having freeipa-client available in dnf or apt repos, so I’ve rarely setup clients manually. However, I did today in Raspbian on my Raspberry Pi. I wanted to document it here mainly for my own memory. It was extremely straightforward but there were a couple tweaks needed. (In this doc “example.com” replaces my domain).

On the Pi install sssd, libnss-sss, libpam-sss, openssh-server krb5-user, and krb5-config.

On the FreeIPA server:

$ kinit admin

$ ipa host-add --ip-address= pi.example.com

$ ipa host-add-managedby --hosts=freeipa.example.com pi.example.com

$ ipa-getkeytab -s freeipa.example.com -p host/pi.example.com -k /tmp/pi.keytab

$ scp /tmp/pi.keytab pi:/etc/krb5.keytab

This mostly took care of it but the SSSD conf file needed to be configured. I had an old config from another server that needed to be “upgraded” using this script leaving me with this in /etc/sssd/sssd.conf:

config_file_version = 2


cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = pi.example.com
chpass_provider = ipa
ipa_server = _srv_, freeipa.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
services = nss, sudo, pam, ssh

domains = example.com
homedir_substring = /home






Then, in FreeIPA’s web interface, I went to Authentication > Certificates and open up CN=Certificate Authority,O=EXAMPLE.COM (serial number 1 in my case), copied the certificate value, and pasted it into /etc/ipa/ca.crt on my Pi.

I then opened /etc/ssh/sshd_config and changed GSSAPIAuthentication to “yes”. Once I restarted SSSD and SSH, everything worked like a charm