From d3975febbea37381d681d47b10ddb735ba50338f Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sun, 16 Feb 2025 14:35:32 -0800
Subject: [PATCH] ipa/client: sssd drop in needs to be same permission as
 sssd.conf also

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/ipa/client/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/ipa/client/tasks/main.yml b/roles/ipa/client/tasks/main.yml
index 0f34197004..e300e282de 100644
--- a/roles/ipa/client/tasks/main.yml
+++ b/roles/ipa/client/tasks/main.yml
@@ -74,7 +74,7 @@
   run_once: yes
 
 - name: Ensure that nss knows to skip certain users (f41/rhel)
-  ansible.builtin.template: src=fedora-nss-ignore.conf.j2 dest=/etc/sssd/conf.d/fedora-nss-ignore.conf mode=600 owner=root group=sssd
+  ansible.builtin.template: src=fedora-nss-ignore.conf.j2 dest=/etc/sssd/conf.d/fedora-nss-ignore.conf mode=640 owner=root group=sssd
   tags:
   - ipa/client
   - config