Using the latest Gnome Stable branch, fresh install:
I have a user account that is a member of wheel. When using a normal account, I am able to use sudo and elevate on the gui (polkit) as expected. However, after converting the account to a systemd-homed account, I can log in normally, but sudo and polkit authentication no longer work (authentication fails). I have been through the same process on KDE and Budgie installs and do not have this error, seems to only be on Gnome
Here are what the logs show when trying to sudo:
Mar 30 12:01:16 asus systemd-homework[11214]: Provided password unlocks user record.
Mar 30 12:01:17 asus systemd-homework[11214]: Discovered used LUKS device /dev/mapper/home-cmulk, and validated password.
Mar 30 12:01:18 asus systemd-homework[11214]: Successfully re-activated LUKS device.
Mar 30 12:01:18 asus systemd-homework[11214]: Provided password unlocks user record.
Mar 30 12:01:18 asus systemd-homework[11214]: Discovered used loopback device /dev/loop0.
Mar 30 12:01:18 asus systemd-homework[11214]: Read embedded .identity file.
Mar 30 12:01:18 asus systemd-homework[11214]: Provided password unlocks user record.
Mar 30 12:01:18 asus systemd-homework[11214]: Reconciling user identities completed (host and header version were identical).
Mar 30 12:01:18 asus systemd-homework[11214]: Reconciling embedded user identity completed (host and embedded version were identical).
Mar 30 12:01:18 asus systemd-homework[11214]: Everything completed.
Mar 30 12:01:18 asus systemd-homed[383]: cmulk: changing state authenticating-for-acquire → active
Mar 30 12:01:18 asus sudo[11149]: pam_systemd_home(sudo:auth): Home for user cmulk successfully acquired.
Mar 30 12:01:18 asus audit[11149]: USER_AUTH pid=11149 uid=1000 auid=1000 ses=14 msg='op=PAM:authentication grantors=? acct="cmulk" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed'
Mar 30 12:01:18 asus kernel: audit: type=1100 audit(1617123678.073:503): pid=11149 uid=1000 auid=1000 ses=14 msg='op=PAM:authentication grantors=? acct="cmulk" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed'
Mar 30 12:01:24 asus sudo[11149]: pam_unix(sudo:auth): conversation failed
Mar 30 12:01:24 asus sudo[11149]: pam_unix(sudo:auth): auth could not identify password for [cmulk]
Mar 30 12:01:24 asus sudo[11149]: pam_unix(sudo:auth): auth could not identify password for [cmulk]
Mar 30 12:01:24 asus audit[11149]: USER_AUTH pid=11149 uid=1000 auid=1000 ses=14 msg='op=PAM:authentication grantors=? acct="cmulk" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed'
After comparing to another install that I have (KDE) I found a difference in /etc/pam.d/sudo
and /etc/pam.d/polkit-1
:
In the Gnome install, it has:
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so
auth include system-auth
account include system-auth
session include system-auth
But in the KDE install it does not have the top 4 lines (just starts with auth include system-auth
). After commenting out the top 4 lines in /etc/pam.d/sudo
and /etc/pam.d/polkit-1
everything worked normally and I was able to elevate both with sudo and polkit prompts.
So, I have solved the issue for myself at least, but does anyone know what the root cause is or why these top 4 config lines are in the Gnome install and not the KDE install?