Join FreeIPA

This will guide you how to join Gentoo to an existing FreeIPA domain. This guide will NOT describe how to install FreeIPA server.

FQDN must work
Returned hostname must match IPA hostname and primary hostname of keytab.

USE flags
You must enable following USE flags

IPA Server part
Login to your freeIPA server add-host and get-keytab

Configuration
Change $IPA_DOMAIN to your FreeIPA domain and $IPA_SERVER to your FreeIPA server. Change $REALM.COM to your FreeIPA kerberos REALM. Change $domain.com to your DNS domain.

PAM
Enable SSS in PAM

sshd
Setup sshd

Usage
To obtain host/hostname.domain.com/REALM.COM ticket that your host use to prove its identity try

This show that your Gentoo can use /etc/sssd/sssd.conf, /etc/krb5.conf and /etc/krb5.keytab to talk to freeipa over LDAP with SASL secured by Kerberos

Will print membership of $USERNAME in local and freeipa groups. It means that you can query freeipa over ldap.

This will print sudo rules that comes from freeipa's HBAC.

Troubleshooting
It's also useful to troubleshot sssd like this

External resources

 * FreeIPA project