>     It depends on what the expectations are for these user-owned machines.
>
>
> Only expectation is to be able to log in to a server, get access to
> their home directory and be able to do their assignments, e.g., C++,
> Java or Python programming.
>  
>
>     If you don't need IPA identities and IPA users won't log into them, then
>     they only need a working krb5.conf and DNS configured on them.
>
>
> So each device needs to drop in the krb5.conf file from the FreeIPA
> server? How does this work on a Windows client?

From the server? I wouldn't. It is likely going to need some hand-tuning
depending on your configuration. For example the server is going to have
a hardcoded KDC in it. You may or may not want that.

>
>     So your students would log into their own controlled machine using their
>     own local account, kinit student123@univ.edu
>     <mailto:student123@univ.edu> and ssh using their
>     credentials.
>
>     The krb5.conf will tell the student machine how to contact the KDC.
>     That's all that is necessary (beyond working DNS).
>
>
> I just tried this on another Fedora 33 workstation, dropped in the
> /etc/krb5.conf file and all I get is:
> kinit: No KCM server found while getting default ccache

You can comment the values out in /etc/krb5.conf.d/kcm_default_ccache to
change the default ccache type, or comment out the includes in krb5.conf
(probably easier).

> I'm puzzled as to what we'd need to tell/provide to a student, who is
> enrolled remotely and can't come on campus, to be able to connect to our
> server via their Windows or Mac laptop. 

I don't know about Windows. I used the Windows MIT Kerberos packages a
decade or more ago and they worked fine with PuTTY (and IPA with
discovery) but whether that applies now or not I have no idea.

Mac I think should work similar to Linux: provide a krb5.conf and things
should just work. Again, you'll likely have to tweak the configuration
depending on what version of MIT Mac ships these days.