Sssd broken with Fedora 41

Posting this here for visibility. It seems that upgrading to Fedora 41 breaks sssd domain login. This will manifest as login failures in GDM, and if you try to login at a tty /bin/login will say “System Error”.

The exact error I got was in /var/log/sssd/gpo_child.log:

[gpo_child[3101]] [prepare_gpo_cache] (0x0020): [RID#15] mkdir(/var/lib/sss/gpo_cache/domain.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}) failed: 13
[gpo_child[3101]] [gpo_cache_store_file] (0x0020): [RID#15] prepare_gpo_cache failed [13][Permission denied]

I was able to figure out that the systemd service chowns /var/lib/sss/gpo_cache/* to the sssd user that the daemon runs as, but does not recursively chown the subdirectories, which on my machine were all owned by root. This didn’t break f40 for some reason, but it did break f41.

I’m not entirely sure why this broke all of a sudden, nor what the state of this directory was prior to the upgrade - it’s just never been an issue until now.

The fix is simple - you need to boot into single-user mode or login as a local user with root access and run chown -Rf sssd:sssd /var/lib/sss/gpo_cache/*.

2 Likes
sudo tee /etc/tmpfiles.d/sssd-var.conf << EOF > /dev/null
Z /var/lib/sss - sssd sssd
EOF
sudo systemd-tmpfiles --create --prefix=/var/lib/sss

tmpfiles.d: Configuration for creation, deletion, and cleaning of files and directories | systemd File Formats | Man Pages | ManKier

1 Like