Pamac authorization

When using pamac-manager, it asks for authorization. The only password that works is the password for the account that was created at initial setup. I am currently using a network account which can use sudo on this machine. It seems that only the initial local account password works, not the account used to start pamac-manager. I do not see a separate pam module for pamac, so I assume it uses the standard su pam.d module.

Edit: I think this is the crux of the issue:

Jun 23 09:29:14 manjaro polkit-agent-helper-1[1377]: pam_sss(polkit-1:auth): authentication failure; logname= uid=558 euid=0 tty= ruser=support rhost= user=support
Jun 23 09:29:14 manjaro polkit-agent-helper-1[1377]: pam_sss(polkit-1:auth): received for user support: 10 (User not known to the underlying authentication module)
Jun 23 09:29:14 manjaro polkit-agent-helper-1[1377]: pam_unix(polkit-1:auth): authentication failure; logname= uid=558 euid=0 tty= ruser=support rhost=  user=support

UID=558 is the user id of my user account which is starting pamac-manager. However, it is trying to match “user=support” (user id 1000) which is the initial account created at installation.

Have you tried with a UID above 1000? :man_shrugging:

Typically the first account is 1000, the second 1001 etc. 500-999 is meant for system accounts.

This network account predates the 1000 UID_MIN. I have modified login.defs to accept 500 as the MIN_UID/MIN_GID. login and sudo authentication both work without issue.

$ grep _MIN /etc/login.defs
(clipped)

UID_MIN                   500
SYS_UID_MIN               500
GID_MIN                   500
SYS_GID_MIN               500

However, I will try with a UID greater than 1000.
Maybe there is something in polkit which is causing this… I’ll look more into it too.

1 Like

My attempt with account UID=1587 yields the same results:

Jun 23 10:46:57 manjaro polkit-agent-helper-1[14086]: pam_sss(polkit-1:auth): authentication failure; logname= uid=1587 euid=0 tty= ruser=support rhost= user=support
Jun 23 10:46:57 manjaro polkit-agent-helper-1[14086]: pam_sss(polkit-1:auth): received for user support: 10 (User not known to the underlying authentication module)
Jun 23 10:46:57 manjaro polkit-agent-helper-1[14086]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1587 euid=0 tty= ruser=support rhost=  user=support

It is still trying to use the support (uid=1000) account.

$ sudo cat /etc/pam.d/polkit-1

#%PAM-1.0

auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

$ sudo cat /etc/pam.d/system-auth

#%PAM-1.0

auth       sufficient                  pam_sss.so           forward_pass
auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

account    [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

password   sufficient                  pam_sss.so
-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_sss.so
session    optional                    pam_permit.so

$ sudo cat /etc/pam.d/sudo

#%PAM-1.0
auth            include         system-auth
account         include         system-auth
session         include         system-auth