On Fri, Sep 5, 2025 at 12:24 PM Travis Bean via sssd-users
<[email protected]> wrote:
> It would be a good idea for this information about file ownership
> and permission requirements to be included in documentation located
> at /usr/share/doc/sssd-common/README.
It is already included in the documentation. As I mentioned in my
previous message, sssd.conf(5) states:
sssd.conf must be a regular file that is accessible only by the
user used to run SSSD service or root.
And:
The snippet files require the same owner and permissions as
sssd.conf.
These requirements are not buried randomly in the man page; they are
at the very beginning (at the end of the *File Format* and
*Configuration Snippets From Include Directory* sections,
respectively).
> sssd.conf is not installed by default to /etc/sssd.
That is distribution-dependent. On Red Hat Enterprise Linux, the
/etc/sssd/sssd.conf file is included in the package with
%ghost/%missingok directives, which means that the package manager
(rpm) knows about the file even though it isn’t present:
$ rpm -qlv $(rpm -qf /etc/sssd/sssd.conf) | grep /etc/sssd
drwxr-x--- 2 root sssd 0 Jun 4 20:00 /etc/sssd
drwxr-x--- 2 root sssd 0 Jun 4 20:00 /etc/sssd/conf.d
drwxr-x--- 2 root sssd 0 Jun 4 20:00 /etc/sssd/pki
-rw-r----- 1 root sssd 0 Jun 4 20:00 /etc/sssd/sssd.conf
This means that the rpm package manager will tell you if any of the
owner/group/mode disagree with the packaging:
$ [ -f /etc/sssd/sssd.conf ] || echo not found
not found
$ rpm --verify sssd-common && echo no errors
no errors
$ install -o root -g root -m 0644 /dev/null /etc/sssd/sssd.conf
$ ls -lsa /etc/sssd/sssd.conf
0 -rw-r--r--. 1 root root 0 Sep 5 14:58 /etc/sssd/sssd.conf
$ rpm --verify sssd-common && echo no errors
.M....G.. c /etc/sssd/sssd.conf
$ chgrp sssd /etc/sssd/sssd.conf
$ rpm --verify sssd-common && echo no errors
.M....... c /etc/sssd/sssd.conf
$ chmod 0640 /etc/sssd/sssd.conf
$ rpm --verify sssd-common && echo no errors
no errors
$ ls -lsa /etc/sssd/sssd.conf
0 -rw-r-----. 1 root sssd 0 Sep 5 14:53 /etc/sssd/sssd.conf
> There is an example configuration file located at
> /usr/share/doc/sssd-common/examples/sssd-example.conf, but it has
> permissions of 0644 and is owned by root:root.
That is the correct owner/group/mode for documentation files. That
does not imply the actual configuration file should have the same
owner/group/mode. Again, the man page tells you the exact
owner/group/mode requirements.
> When troubleshooting the error message "File ownership and
> permissions check failed" that was displayed when I debugged SSSD, I
> googled the error message, and there are two web pages that provide
> a resolution. The first web page is
> https://access.redhat.com/solutions/6814561, but when I tried to log
> in with my Red Hat developer account, it said, "An active Red Hat
> subscription is required to participate." The second web page is
> the link I provided in my last email. This must be a common problem
> that needs to be addressed.
If you believe the explanation in the man page could be worded more
helpfully, feel free to suggest an improved wording. (In my
experience, the sssd authors are quite responsive, and will happily
accept documentation updates.)
--
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
