Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Created attachment 1100926 [details]
ipa-client-install.log

Description of problem:
While installing IPA client on test machine found that SSSD service always fails to restart. Found that 

# ls -lh /etc/sssd/sssd.conf
-rw-r--r--. 1 root root 483 Dec  1 19:12 /etc/sssd/sssd.conf

changing permissions from 644 to 600 fixes issue.

Version-Release number of selected component (if applicable):
sssd-1.13.0-39.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Try to enroll system into IPA environment using 'ipa-client-install'
2. 

Actual results:
ipa-client-install fails to restart sssd service 

Expected results:
ipa-client-install should be able to restart sssd service


Additional info:

ipa-client-install can restart service sssd after changing permission to 600 for file /etc/sssd/sssd.conf

Since ipa-client-install configures SSSD I think ipa-client-install should make sure that the permissions on the file are correct.

Moving to ipa.

It's not bug in sssd. It's expected behaviour.

The file /etc/sssd/sssd.conf should be readable only by root.
sh# ls -l /etc/sssd/sssd.conf
-rw-------. 1 root root 4334 Dec  1 13:29 /etc/sssd/sssd.conf

Did you have /etc/sssd/sssd.conf on you machine before enrolling to IPA server?
If the file did not exist then it might be an issue in ipa-client.

sssd set umast to 0o177 in method write (class SSSDConfig)
/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py
1468         old_umask = os.umask(0o177)
1469         of = open(outputfile, "wb")
1470         output = self.dump(self.opts).encode('utf-8')
1471         of.write(output)
1472         of.close()
1473         os.umask(old_umask)

Closing bz as CLOSED NOTABUG as due to mis-configuration file permissions got changed for /etc/sssd/sssd.conf.