diff --git a/roles/ipa/client/tasks/main.yml b/roles/ipa/client/tasks/main.yml
index 0f34197004..e300e282de 100644
--- a/roles/ipa/client/tasks/main.yml
+++ b/roles/ipa/client/tasks/main.yml
@@ -74,7 +74,7 @@
   run_once: yes
 
 - name: Ensure that nss knows to skip certain users (f41/rhel)
-  ansible.builtin.template: src=fedora-nss-ignore.conf.j2 dest=/etc/sssd/conf.d/fedora-nss-ignore.conf mode=600 owner=root group=sssd
+  ansible.builtin.template: src=fedora-nss-ignore.conf.j2 dest=/etc/sssd/conf.d/fedora-nss-ignore.conf mode=640 owner=root group=sssd
   tags:
   - ipa/client
   - config