ssh, sshd, the NFS client (Kerberized NFS version 3 and 4), Chome and Firefox (SPNEGO) all support Kerberos.
I think “join the domain” would simply mean that login uses IPA. I assume you can do that, though I haven’t tried. I do kinit manually. Once I have a TGT from kinit, everything else works.
Edit /etc/ssh/ssh_config. Add "GSSAPIAuthentication yes”
Firefox. Here’s what the IPA web client says:
Import CA certificate for your IPA realm. This assumes you’re not using a commercial cert, which should use a CA that the system already knows about
• Make sure you select all three checkboxes.
• In the address bar of Firefox, type
about:config to display the list of current configuration options.
• In the Filter field, type negotiate to restrict the list of options.
• Double-click the network.negotiate-auth.trusted-uris entry to display the Enter string value dialog box.
• Enter the name of the domain against which you want to authenticate, for example, .
example.com.