When systemd >=249 is installed and
shadow: files systemd
And when PAM code is run by process with non-root user, authentication will fail. See https://bugs.gentoo.org/803050 for more details.
On Fri, Jul 23, 2021 at 01:17:00PM -0700, Mike Gilbert wrote:
Commit f220cace205332a3dc34e7b37a85e7627e097e7d changed pam_unix so that it only executes unix_chkpwd if getspnam sets errno to EACCES.
This relies on libnss_files setting errno to EACCES when /etc/shadow cannot be opened.
If libnss_files is not the last NSS module listed for the shadow database, subsequent NSS modules (like libnss_systemd) may overwrite errno with some other value (like 0).
nss modules are not permitted to do that because such behaviour would violate the getspnam(3) contract. Please file a bug report to the incompatible nss module.