Here's an annotated strace output of the dbus process when it fails.  In another terminal, I ran 'systemctl status ntp' which triggers the dbus query.  As Zahid mentioned above, this is with the permissions on /etc/ldap.conf set to 440, so the dbus-daemon user doesn't have permissions to read it.  But why does dbus-daemon _want_ to read it?  It's also checking /etc/passwd before this.



rphelps@d1lmdbsvrstg2:~$ sudo strace -p 942 -s 256
strace: Process 942 attached
epoll_wait(4, [{EPOLLIN, {u32=3, u64=386346997063352323}}], 64, -1) = 1

# Accept the incoming dbus call from systemctl
accept4(3, {sa_family=AF_LOCAL, NULL}, [2], SOCK_CLOEXEC) = 18

# Set it to a non-blocking socket, add it to the epoll() list, and call epoll() again
fcntl(18, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(18, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
getsockname(18, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, [34]) = 0
epoll_ctl(4, EPOLL_CTL_ADD, 18, {EPOLLET, {u32=18, u64=386346997063352338}}) = 0
epoll_ctl(4, EPOLL_CTL_MOD, 18, {EPOLLIN, {u32=18, u64=14407806993769168914}}) = 0
epoll_wait(4, [{EPOLLIN, {u32=18, u64=14407806993769168914}}], 64, 29999) = 1

# Read a message from systemctl
recvmsg(18, {msg_name(0)=NULL, msg_iov(1)=[{"\0", 1}], msg_controllen=0, msg_flags=0}, 0) = 1

# Get the pid, uid, and gid of the systemctl process, rphelps in this case
getsockopt(18, SOL_SOCKET, SO_PEERCRED, {pid=17258, uid=10247, gid=10004}, [12]) = 0

# Try and fail to get the peer socket security state, but that might be SELinux only?
getsockopt(18, SOL_SOCKET, SO_PEERSEC, 0x559bc7f68180, 0x7ffc93c3a2bc) = -1 ENOPROTOOPT (Protocol not available)

# Read the auth request from systemctl
read(18, "AUTH EXTERNAL 3130323437\r\nNEGOTIATE_UNIX_FD\r\nBEGIN\r\n", 2048) = 52

# Check the /etc/passwd for something
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 19
lseek(19, 0, SEEK_CUR)                  = 0
fstat(19, {st_mode=S_IFREG|0644, st_size=2014, ...}) = 0
mmap(NULL, 2014, PROT_READ, MAP_SHARED, 19, 0) = 0x7f5305a0d000
lseek(19, 2014, SEEK_SET)               = 2014
fstat(19, {st_mode=S_IFREG|0644, st_size=2014, ...}) = 0
munmap(0x7f5305a0d000, 2014)            = 0
close(19)                               = 0

# No idea
rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7f530490a390}, {SIG_IGN, [], SA_RESTORER, 0x7f530490a390}, 8) = 0

# No idea why they're doing this; maybe to see if the caller is the same process?
geteuid()                               = 107

# Try, and fail, to open /etc/ldap.conf
open("/etc/ldap.conf", O_RDONLY)        = -1 EACCES (Permission denied)
rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7f530490a390}, NULL, 8) = 0

# Do another epoll() round
epoll_ctl(4, EPOLL_CTL_MOD, 18, {EPOLLET, {u32=18, u64=4294967314}}) = 0
epoll_ctl(4, EPOLL_CTL_MOD, 18, {EPOLLOUT, {u32=18, u64=4294967314}}) = 0
epoll_wait(4, [{EPOLLOUT, {u32=18, u64=4294967314}}], 64, 29995) = 1

# Send the rejection message to systemctl
sendto(18, "REJECTED EXTERNAL DBUS_COOKIE_SHA1 ANONYMOUS\r\nERROR \"Need to authenticate first\"\r\n", 82, MSG_NOSIGNAL, NULL, 0) = 82

# Remove the connection to systemctl from the epoll() list, and close the socket
epoll_ctl(4, EPOLL_CTL_DEL, 18, 0x7ffc93c3a2e0) = 0
close(18)