diff --git a/docs/treefile.md b/docs/treefile.md
index 02cb7915b4..302eae1d4d 100644
--- a/docs/treefile.md
+++ b/docs/treefile.md
@@ -37,7 +37,6 @@ It supports the following parameters:
    no SELinux labeling will be performed on the server side.
 
  * `sysusers`: boolean, optional: Defaults to `false`.
-   Enable generation of systemd `sysusers.d` entries.
    If `true`, this turns off `altfiles` and disables the `passwd` / `group`
    files migration to `/usr/lib`.
 
diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
index 100c29fe33..d35ce326da 100644
--- a/rust/src/passwd.rs
+++ b/rust/src/passwd.rs
@@ -614,6 +614,7 @@ fn complete_pwgrp(rootfs: &Dir) -> Result<()> {
 /// This is a pre-commit validation hook which ensures that the upcoming
 /// users/groups entries are somehow sane. See treefile `check-passwd` and
 /// `check-groups` fields for a description of available validation knobs.
+#[context("Validate users/groups refer to treefile check-passwd/check-groups configuration")]
 pub fn check_passwd_group_entries(
     ffi_repo: &crate::ffi::OstreeRepo,
     rootfs_dfd: i32,
@@ -630,8 +631,12 @@ pub fn check_passwd_group_entries(
 
     // Parse entries in the upcoming commit content.
     let mut new_entities = PasswdEntries::default();
-    new_entities.add_passwd_content(rootfs.as_raw_fd(), "usr/lib/passwd")?;
-    new_entities.add_group_content(rootfs.as_raw_fd(), "usr/lib/group")?;
+    new_entities.add_passwd_content(rootfs.as_raw_fd(), "usr/etc/passwd")?;
+    new_entities.add_group_content(rootfs.as_raw_fd(), "usr/etc/group")?;
+    if has_usrlib_passwd(&rootfs)? {
+        new_entities.add_passwd_content(rootfs.as_raw_fd(), "usr/lib/passwd")?;
+        new_entities.add_group_content(rootfs.as_raw_fd(), "usr/lib/group")?;
+    }
 
     // Fetch entries from treefile and previous commit, according to config.
     // These are used as ground-truth by the validation steps below.
@@ -679,9 +684,11 @@ impl PasswdDB {
     pub(crate) fn populate_new(rootfs: &Dir) -> Result<Self> {
         let mut db = Self::default();
         db.add_passwd_content(rootfs.as_raw_fd(), "usr/etc/passwd")?;
-        db.add_passwd_content(rootfs.as_raw_fd(), "usr/lib/passwd")?;
         db.add_group_content(rootfs.as_raw_fd(), "usr/etc/group")?;
-        db.add_group_content(rootfs.as_raw_fd(), "usr/lib/group")?;
+        if has_usrlib_passwd(&rootfs)? {
+            db.add_passwd_content(rootfs.as_raw_fd(), "usr/lib/passwd")?;
+            db.add_group_content(rootfs.as_raw_fd(), "usr/lib/group")?;
+        }
         Ok(db)
     }