Arch Linux

ch0wn

Member

Registered: 2025-04-14

Posts: 1

Can't use sudo/elevate privileges as homectl user

I've googled around and searched this forum but couldn't find anything that matched my particular problem.

I have a LUKS2-encrypted homectl user called "pascal". Nothing special, just a vanilla "homectl create pascal --storage=luks -Gwheel" setup.

   User name: pascal
       State: active
 Disposition: regular
 Last Change: Sat 2025-02-01 17:02:26 GMT
 Last Passw.: Fri 2024-05-03 11:17:10 BST
    Login OK: yes
 Password OK: yes
         UID: 60285
         GID: 60285 (pascal)
 Aux. Groups: wheel
              admin
              wheel
   Directory: /home/pascal
   Blob Dir.: /var/cache/systemd/home/pascal
     Storage: luks (strong encryption)
  Image Path: /home/pascal.home
   Removable: no
       Shell: /bin/bash
 Access Mode: 0700
LUKS Discard: online=no offline=yes
   LUKS UUID: b7b8fde0-9862-4a9f-8a8b-a4754ff093d2
   Part UUID: 65c06585-f4ce-4c95-a41c-b43f90748592
     FS UUID: 34d745ef-01ee-413d-926c-06d0a30a0b55
 File System: btrfs
 LUKS Cipher: aes
 Cipher Mode: xts-plain64
  Volume Key: 256bit
 Mount Flags: nosuid nodev exec
   Disk Size: 48.6G
  Disk Usage: 34.5G (= 71.2%)
   Disk Free: 14G (= 28.8%)
  Disk Floor: 34.5G
Disk Ceiling: 55.2G
  Good Auth.: 26
   Last Good: Mon 2025-04-14 14:22:24 BST
   Bad Auth.: 16
    Last Bad: Mon 2025-04-14 14:20:39 BST
    Next Try: anytime
 Auth. Limit: 30 attempts per 1min
   Rebalance: off
   Passwords: 1
  Local Sig.: yes
     Service: io.systemd.Home
 Self Modify: realName
              emailAddress
              iconName
              location
              shell
              umask
              environment
              timeZone
              preferredLanguage
              additionalLanguages
              preferredSessionLauncher
              preferredSessionType
              pkcs11TokenUri
              fido2HmacCredential
              recoveryKeyType
              lastChangeUSec
              lastPasswordChangeUSec
      (Blobs) avatar
              login-background
 (Privileged) passwordHint
              hashedPassword
              pkcs11EncryptedKey
              fido2HmacSalt
              recoveryKey
              sshAuthorizedKeys

I can log in using GDM, I can use good old su, but both sudo and polkit requests (for instance when using the the graphical Pamac app) fail to get me admin privileges.

In journalctl, I can see this message when trying to use sudo:

Apr 14 14:30:09 nuc13rngi7 unix_chkpwd[5130]: check pass; user unknown
Apr 14 14:30:09 nuc13rngi7 kernel: audit: type=1400 audit(1744637409.916:180): apparmor="DENIED" operation="open" class="file" profile="unix-chkpwd" name="/etc/machine-id" pid=5130 comm="unix_chkpwd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 14 14:30:12 nuc13rngi7 unix_chkpwd[5131]: check pass; user unknown
Apr 14 14:30:12 nuc13rngi7 unix_chkpwd[5131]: password check failed for user (pascal)
Apr 14 14:30:12 nuc13rngi7 sudo[5129]: pam_unix(sudo:auth): authentication failure; logname=pascal uid=60285 euid=0 tty=/dev/pts/3 ruser=pascal rhost=  user=pascal
Apr 14 14:30:12 nuc13rngi7 kernel: audit: type=1400 audit(1744637412.700:181): apparmor="DENIED" operation="open" class="file" profile="unix-chkpwd" name="/etc/machine-id" pid=5131 comm="unix_chkpwd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 14 14:30:12 nuc13rngi7 systemd-homed[1006]: pascal: changing state active → authenticating-for-acquire
Apr 14 14:30:12 nuc13rngi7 systemd-homework[5132]: Provided password unlocks user record.
Apr 14 14:30:13 nuc13rngi7 systemd-homework[5132]: Discovered used LUKS device /dev/mapper/home-pascal, and validated password.
Apr 14 14:30:13 nuc13rngi7 systemd-homework[5132]: Successfully re-activated LUKS device.
Apr 14 14:30:13 nuc13rngi7 systemd-homework[5132]: Provided password unlocks user record.
Apr 14 14:30:13 nuc13rngi7 systemd-homework[5132]: Discovered used loopback device /dev/loop0.
Apr 14 14:30:13 nuc13rngi7 systemd-homework[5132]: Read embedded .identity file.
Apr 14 14:30:13 nuc13rngi7 systemd-homework[5132]: Provided password unlocks user record.
Apr 14 14:30:13 nuc13rngi7 systemd-homework[5132]: Reconciling user identities completed (host and header version were identical).
Apr 14 14:30:13 nuc13rngi7 systemd-homework[5132]: Reconciling embedded user identity completed (host and embedded version were identical).
Apr 14 14:30:13 nuc13rngi7 systemd-homework[5132]: Everything completed.
Apr 14 14:30:13 nuc13rngi7 systemd-homed[1006]: pascal: changing state authenticating-for-acquire → active
Apr 14 14:30:13 nuc13rngi7 sudo[5129]: pam_systemd_home(sudo:auth): Home for user pascal successfully acquired.
Apr 14 14:30:15 nuc13rngi7 unix_chkpwd[5134]: check pass; user unknown
Apr 14 14:30:15 nuc13rngi7 kernel: audit: type=1400 audit(1744637415.666:182): apparmor="DENIED" operation="open" class="file" profile="unix-chkpwd" name="/etc/machine-id" pid=5134 comm="unix_chkpwd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

sudo itself only says "Sorry, try again."

Any idea what could be going wrong here?