Since an while I started using freeipa as my central authentication service. (Not yet fully transitioned).
To benefit not only from a centralized place to store and change credentials (Passwords, One-Time-Pads, Keys) but so Single-Sign-On the (mobile) desktop must be integrated too.
Install and configure freeipa
For the ipa-client I followed mostly this howto. With admin credentials execute sudo apt-get install freeipa-client
Make sure, your DNS reursor can resolv DNS-Entries inside your IPA-Domain and the hostname is a fully qualified domain name (fqdn).
After that, you should be able to install the freeipa-client by executing sudo ipa-client-install –mkhomedir –server=ipaserver.domain.name –domain domain.name and answer if you want to continue with yes.
Later there is a ipa-user needed, that is able to enrol new computer, that’s it.
Implement the small „mkhomedir-bugfix“:
Name: activate mkhomedir
Default: yes Priority: 900
pam_mkhomedir.so umask=0022 skel=/etc/skel
in the file /usr/share/pam-configs/mkhomedir and then execute pam-auth-update and enable mkhomedir.
Also make sure that the file /etc/nsswitch.conf contains the following lines:
passwd: compat sss
group: compat sss
After a reboot, you should be able to login with any ipa-user that the ipa rules allow. If the username is an already existing local user, delete the local user and chown the data to the „new“ user before login in.