Posting this here for visibility. It seems that upgrading to Fedora 41 breaks sssd domain login. This will manifest as login failures in GDM, and if you try to login at a tty /bin/login
will say “System Error”.
The exact error I got was in /var/log/sssd/gpo_child.log
:
[gpo_child[3101]] [prepare_gpo_cache] (0x0020): [RID#15] mkdir(/var/lib/sss/gpo_cache/domain.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}) failed: 13
[gpo_child[3101]] [gpo_cache_store_file] (0x0020): [RID#15] prepare_gpo_cache failed [13][Permission denied]
I was able to figure out that the systemd service chowns /var/lib/sss/gpo_cache/*
to the sssd
user that the daemon runs as, but does not recursively chown
the subdirectories, which on my machine were all owned by root
. This didn’t break f40 for some reason, but it did break f41.
I’m not entirely sure why this broke all of a sudden, nor what the state of this directory was prior to the upgrade - it’s just never been an issue until now.
The fix is simple - you need to boot into single-user mode or login as a local user with root access and run chown -Rf sssd:sssd /var/lib/sss/gpo_cache/*
.