A typical Active Directory or FreeIPA deployment assumes strong trust between the domain controllers and client systems enrolled into the domain. Kerberos configuration, machine credentials, TLS certificates and their CA chains are unique to each environment and not all this information can be made public as a part of a generally available image. Additional packages need to be present in the image to make sure enrollment is succesfull as well. On-demand domain enrollment, adjustment of the configurations to enable use of single sign-on services, and many other features provided by traditional Fedora don't work well with Silverblue images.

This talk is an investigation on what is needed to adjust Samba, FreeIPA, and SSSD clients to work properly with CoreOS/Silverblue-based deployments. It is based on a 1.5 year experiment of running own automatically rebased Silverblue images for a FreeIPA client in custom domain environment.