Comment 6 for bug 2054716

After the upgrade, I manually run the systemd-sysusers command and see this.

root@j:~# SYSTEMD_LOG_LEVEL=debug systemd-sysusers polkit.conf
Failed to connect to /run/systemd/userdb/io.systemd.DynamicUser: Connection refused
Unable to connect to /run/systemd/userdb/io.systemd.DynamicUser: Connection refused
Failed to connect to /run/systemd/userdb/io.systemd.DynamicUser: Connection refused
Unable to connect to /run/systemd/userdb/io.systemd.DynamicUser: Connection refused
Failed to check if group polkitd already exists: Connection refused

So, the getgrnam() call in systemd-sysusers results in libnss-systemd attempting to make a varlink call to pid1 to check if the group exists as a dynamic group, but the varlink connection setup fails. This appears to go away after a reboot, but not a `systemctl daemon re-exec`.

I have yet to figure out the root cause on the systemd side. However, as a workaround, we could set SYSTEMD_NSS_BYPASS_DYNAMIC=1 when calling systemd-sysusers in polkitd.postinst. This should be safe because the polkitd package is creating a real user/group for polkitd, so a successful check from io.systemd.DynamicUser is irrelevant.

I have prepared a patch with this proposed workaround, but will continue to look into this from the systemd side.