I run a Samba Active Directory in my homelab, with a Wireguard VPN to my dad’s house between my and his MikroTik routers.
I recently reinstated the HPE ProLiant ML30 Gen9 running Rocky Linux 10 colocated at his house. With that, I rejoined the server to a new AD domain I made. I wasn’t able to log in, since the SSSD cache doesn’t get flushed.
While I used this guide on Rocky Linux, it should be the same on AlmaLinux, CentOS or RHEL.
Going back, the error I got was:
Feb 13 15:11:01 oldsai.sc.lan krb5_child[2258]: Invalid UID in persistent keyring name
Feb 13 15:11:01 oldsai.sc.lan sshd-session[2254]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=blackbird
Feb 13 15:11:01 oldsai.sc.lan sshd-session[2254]: pam_sss(sshd:auth): received for user blackbird: 4 (System error)To fix this, first stop sssd:
systemctl stop sssdClear the cache with sss_cache:
sss_cache -ENow remove the stray cache files:
/var/lib/sss/db/*Note: this command is important, as SSSD doesn’t flush caches upon unjoining and rejoining, even with different user IDs.
Now start sssd:
systemctl start sssdThe error should go away. Keep in mind that if UIDs changed for a particular user, you will need to delete or chown their home directory.
Source. Thanks, Jarrod Farncomb.
Leave a Reply