Red Hat Customer Portal
  • Comments

    • How to move a SSSD registered host to another REALM?

    Posted on

    How does one properly move a host that is registered from one Active Directory domain through sssd (ad based config)? I'm attempting to move hosts from TEST.REALM to REALM domains.

    I've attempted to do this through performing:

    1) net ads leave (which worked)
    2) verifying the host is no longer in AD's computers sub-suffix
    3) updating the 

    /etc/sssd/sssd.conf
    , 
    /etc/samba/smb.conf
    , and 
    /etc/krb5.conf

    4) cleared out the old 
    /etc/krb5.keytab
    that had principals from the old realm
    5) re-running the authconfig commands I used during setup
    6) flushing the sssd cache with 
    sss_cache -E

    7) re-registering the host by kinit'ing as a administrator in the REAM and then running the 
    net ads join -k
    command (which works)

    When I attempt to test this change over by logging in as a user unique to the new realm/domain.... I get the following message:

    Jan 18 22:11:19 host-1 [sssd[ldap_child[4921]]]: Error processing keytab file [MEMORY:/etc/krb5.keytab]: Principal [HOST-1$@TEST.REALM] was not found. Unable to create GSSAPI-encrypted LDAP connection.

    I can not figure out where the system is picking up HOST-1$@TEST.REALM, its not present in the configuration files I mention, it is not in the new 

    /etc/krb5.keytab
    after the new run of the net ads join... am I missing something on the cleanup/move steps I list? (and does anyone have a pointer to discussion around moving systems this way?)

    Thanks in advance.

    by

    points

    Responses

    Red Hat
    © 2025 Red Hat, Inc.