How to move a SSSD registered host to another REALM?

Latest response

How does one properly move a host that is registered from one Active Directory domain through sssd (ad based config)? I'm attempting to move hosts from TEST.REALM to REALM domains.

I've attempted to do this through performing:

1) net ads leave (which worked)
2) verifying the host is no longer in AD's computers sub-suffix
3) updating the /etc/sssd/sssd.conf, /etc/samba/smb.conf, and /etc/krb5.conf
4) cleared out the old /etc/krb5.keytab that had principals from the old realm
5) re-running the authconfig commands I used during setup
6) flushing the sssd cache with sss_cache -E
7) re-registering the host by kinit'ing as a administrator in the REAM and then running the net ads join -k command (which works)

When I attempt to test this change over by logging in as a user unique to the new realm/domain.... I get the following message:

Jan 18 22:11:19 host-1 [sssd[ldap_child[4921]]]: Error processing keytab file [MEMORY:/etc/krb5.keytab]: Principal [HOST-1$@TEST.REALM] was not found. Unable to create GSSAPI-encrypted LDAP connection.

I can not figure out where the system is picking up HOST-1$@TEST.REALM, its not present in the configuration files I mention, it is not in the new /etc/krb5.keytab after the new run of the net ads join... am I missing something on the cleanup/move steps I list? (and does anyone have a pointer to discussion around moving systems this way?)

Thanks in advance.


I have also performed the following clearing up of files on the hosts in question

rm -f /var/lib/sss/mc/*
rm -f /var/lib/sss/db/*
rm -f /var/lib/sss/pubconf/*

and restart of the sssd service.

Ok its working now.

The key to it was to make sure to STOP the sssd service before attempting to remove the file paths I indicated. Once I stopped the service and removed those paths at the recommendation of team members and this blog discussion on clearing the SSSD cache.

Hi Todd,

Thanks for sharing the solution!