When using pamac-manager, it asks for authorization. The only password that works is the password for the account that was created at initial setup. I am currently using a network account which can use sudo on this machine. It seems that only the initial local account password works, not the account used to start pamac-manager. I do not see a separate pam module for pamac, so I assume it uses the standard su pam.d module.
Edit: I think this is the crux of the issue:
Jun 23 09:29:14 manjaro polkit-agent-helper-1[1377]: pam_sss(polkit-1:auth): authentication failure; logname= uid=558 euid=0 tty= ruser=support rhost= user=support
Jun 23 09:29:14 manjaro polkit-agent-helper-1[1377]: pam_sss(polkit-1:auth): received for user support: 10 (User not known to the underlying authentication module)
Jun 23 09:29:14 manjaro polkit-agent-helper-1[1377]: pam_unix(polkit-1:auth): authentication failure; logname= uid=558 euid=0 tty= ruser=support rhost= user=support
UID=558 is the user id of my user account which is starting pamac-manager. However, it is trying to match “user=support” (user id 1000) which is the initial account created at installation.
Have you tried with a UID above 1000?
Typically the first account is 1000, the second 1001 etc. 500-999 is meant for system accounts.
This network account predates the 1000 UID_MIN. I have modified login.defs to accept 500 as the MIN_UID/MIN_GID. login and sudo authentication both work without issue.
$ grep _MIN /etc/login.defs
(clipped)
UID_MIN 500
SYS_UID_MIN 500
GID_MIN 500
SYS_GID_MIN 500
However, I will try with a UID greater than 1000.
Maybe there is something in polkit which is causing this… I’ll look more into it too.
1 Like
My attempt with account UID=1587 yields the same results:
Jun 23 10:46:57 manjaro polkit-agent-helper-1[14086]: pam_sss(polkit-1:auth): authentication failure; logname= uid=1587 euid=0 tty= ruser=support rhost= user=support
Jun 23 10:46:57 manjaro polkit-agent-helper-1[14086]: pam_sss(polkit-1:auth): received for user support: 10 (User not known to the underlying authentication module)
Jun 23 10:46:57 manjaro polkit-agent-helper-1[14086]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1587 euid=0 tty= ruser=support rhost= user=support
It is still trying to use the support (uid=1000) account.
$ sudo cat /etc/pam.d/polkit-1
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
$ sudo cat /etc/pam.d/system-auth
#%PAM-1.0
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth [success=2 default=ignore] pam_unix.so try_first_pass nullok
-auth [success=1 default=ignore] pam_systemd_home.so
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
account [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password sufficient pam_sss.so
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow sha512
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_sss.so
session optional pam_permit.so
$ sudo cat /etc/pam.d/sudo
#%PAM-1.0
auth include system-auth
account include system-auth
session include system-auth