Manually setting up FreeIPA Client on Archlinux

This post describes how i set up my ArchLinux boxes to authenticate to FreeIPA version: 4.2.3 running on Fedora23.
The whole procedure could be scripted but i had to work my way through by trial&error.


  • Make sure your clients time equals your FreeIPA servers.
  • Make sure your ipa-client and ipa-server are resolvable both forward (A-record) and reverse (PTR-record)
  • Assure that the clients hostname command returns the FQDN to save some trouble later with HBAC and SUDO rules
  • Double Check you have the correct DNS entries if you are not using FreeIPA itself as your primary DNS Server


pacman -S sssd





Disable caching for passwords and groups
Make sure these 2 lines end on no instead of yes



On the IPA Server

Add your new client to IPA

In case IPA is also your DNS server and there is already a record for it:


Create a Kerberos keytab and transfer it to your client

Copy /tmp/ipaclient.keytab to


First Tests

Time for a first test to see if we can already retrieve information about IPA users:

Restart nscd

Restart sssd

Retrieve passwd information

Try to query any user with posix attributes you created on your IPA-Server.

If you want to make sure not hit a local record you can add your domain like this

It should return something like this:


I recommend not to start configuring pam before the getent command above did succeed!


Create a new file named /etc/pam.d/sss

login, ssh, sudo, su, passwd

These are the services that i found mandatory for my environment.






Other Services

All the services mentioned from here on down are not tested to the bone by myself. I just created this configuration by reverse engineering a random script found on the internet.

















See also

Leave a Reply

Your email address will not be published / Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.