2448131 – systemd-tmpfiles fails to resolve 'tss' user at boot; systemd-sysusers.service skipped (Fedora 44)

Bug 2448131 - systemd-tmpfiles fails to resolve 'tss' user at boot; systemd-sysusers.service skipped (Fedora 44)

Summary: systemd-tmpfiles fails to resolve 'tss' user at boot; systemd-sysusers.servic...

Keywords:
Status:	CLOSED DUPLICATE of bug 2442617
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	tpm2-tss
Sub Component:
Version:	44
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Peter Robinson
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	2444029
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-16 17:56 UTC by xoghinos
Modified:	2026-04-16 14:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2026-04-16 14:31:14 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description xoghinos 2026-03-16 17:56:56 UTC

During boot on Fedora 44 KDE Plasma Desktop Edition prerelease, systemd-tmpfiles fails to resolve the 'tss' user and group referenced in the tpm2-tss FAPI tmpfiles configuration.

Journal shows the following errors during boot:

systemd-tmpfiles: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf: Failed to resolve user 'tss'
systemd-tmpfiles: Failed to resolve group 'tss'
systemd-tmpfiles: Failed to parse ACL "default:group:tss:rwx"

Additionally, the journal shows:

systemd-sysusers.service - Create System Users skipped, no trigger condition checks were met.

However the package provides the sysusers configuration file:

/usr/lib/sysusers.d/tpm2-tss.conf

After the system has booted, the user exists:

getent passwd tss

and manual execution of:

sudo systemd-tmpfiles --create /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf

completes successfully.

This suggests that systemd-sysusers is not being triggered early enough to create the 'tss' user before systemd-tmpfiles processes the tpm2-tss-fapi tmpfiles configuration.

Reproducible: Always

Steps to Reproduce:
1. Install Fedora 44 KDE Plasma Desktop Edition prerelease.
2. Ensure package tpm2-tss-fapi is installed.
3. Reboot the system.
4. Inspect the journal with:

   journalctl -b | grep -E "tss|tmpfiles|sysusers"
Actual Results:
systemd-tmpfiles: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:2: Failed to resolve user 'tss': Unknown user
systemd-tmpfiles: /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf:6: Failed to resolve group 'tss': Unknown group
systemd-tmpfiles: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument
systemd-udevd: /usr/lib/udev/rules.d/60-tpm-udev.rules:3 Failed to resolve user 'tss', ignoring: Unknown user
systemd-udevd: /usr/lib/udev/rules.d/60-tpm-udev.rules:4 Failed to resolve group 'tss', ignoring: Unknown group
systemd-sysusers.service - Create System Users skipped, no trigger condition checks were met.

Expected Results:
The tss user and group should be fully initialized and resolvable by the system database (via systemd-sysusers or equivalent) before systemd-tmpfiles and systemd-udevd attempt to process the configuration files provided by the tpm2-tss package.

Specifically, the boot sequence should ensure that systemd-sysusers.service completes successfully before services that depend on those users are triggered, preventing "Unknown user" errors and ensuring TPM device permissions are correctly applied on the first attempt.

Additional Information:
System information:

Fedora Linux 44 (KDE Plasma Desktop Edition Prerelease)
Architecture: x86_64

Relevant package version:
tpm2-tss-fapi-4.1.3-9.fc44.x86_64

Relevant configuration files present on the system:

/usr/lib/sysusers.d/tpm2-tss.conf
/usr/lib/tmpfiles.d/tpm2-tss-fapi.conf
/usr/lib/udev/rules.d/60-tpm-udev.rules

After boot, the user exists:

getent passwd tss
tss:x:59:59:Account used for TPM access:/:/usr/sbin/nologin

Device permissions appear correct after boot:

ls -l /dev/tpmrm0
crw-rw---- 1 root tss ...

Manual execution of the tmpfiles configuration succeeds:

sudo systemd-tmpfiles --create /usr/lib/tmpfiles.d/tpm2-tss-fapi.conf

Comment 1 xoghinos 2026-03-17 09:49:00 UTC

Additional observation:

systemd-sysusers.service does not appear to run during boot.

Output of:

systemd-analyze blame | grep -E "sysusers|tmpfiles"

shows only tmpfiles-related services:

148ms systemd-tmpfiles-setup.service
139ms systemd-tmpfiles-setup-dev-early.service
97ms systemd-tmpfiles-clean.service
49ms systemd-tmpfiles-setup-dev.service

systemd-sysusers.service is not listed.

This is consistent with the journal message:
"systemd-sysusers.service - Create System Users skipped, no trigger condition checks were met."

This suggests that systemd-sysusers may not be triggered at all during boot.

Comment 2 Joe Walker 2026-03-24 06:29:45 UTC

Based on https://github.com/systemd/systemd/issues/21665 it does not look like sysusers should be working like this and the user should be added using something like https://github.com/dracut-ng/dracut-ng/pull/2139/files

Also observed https://discussion.fedoraproject.org/t/errors-regarding-user-group-tss-after-upgrade/183917

Comment 3 Joe Walker 2026-03-24 10:19:40 UTC

So after being a little more awake, it looks like this is fixed in dracut 110.

Comment 4 Sandro Bonazzola 2026-04-15 07:13:04 UTC

(In reply to Joe Walker from comment #3)
> So after being a little more awake, it looks like this is fixed in dracut
> 110.

Adding #2444029 as dependency

Comment 5 Lukas Slebodnik 2026-04-16 14:31:14 UTC


*** This bug has been marked as a duplicate of bug 2442617 ***

Note You need to log in before you can comment on or make changes to this bug.