nixos/containers: pam_lastlog2 breaks machinectl shell   inside nspawn containers

### Nixpkgs version

- Unstable (26.05)

### Describe the bug

After updating to nixpkgs unstable, machinectl shell into declarative NixOS containers (containers.<name>) connects and immediately disconnects without executing any commands. GUI applications launched via machinectl shell also silently fail.

Root cause: shadow.nix unconditionally sets security.pam.services.login.updateWtmp = true, which adds pam_lastlog2.so (util-linux 2.41) as a required module in the login PAM service. machinectl shell uses the login PAM service inside the container (via PAMName = "login" in the transient container-shell@.service unit). pam_lastlog2 fails silently inside nspawn containers, causing the PAM session to fail and the shell to exit immediately.

### Steps to reproduce

1. Create a declarative NixOS container with a non-root user
2. Build and switch configuration
3. Start the container: machinectl start <name>
4. Attempt to shell in: machinectl shell <user>@<name>
5. Observe: "Connected to machine... Connection terminated." with no shell or command execution

### Expected behaviour

machinectl shell should open an interactive shell or execute the specified command inside the container.

### Screenshots

_No response_

### Relevant log output

```console

```

### Additional context

Workaround:

Inside the container config: security.pam.services.login.updateWtmp = lib.mkForce false;

Suggested fix:

Either:
  - shadow.nix should use mkDefault for updateWtmp so containers can override without mkForce
  - nixos-containers.nix should set security.pam.services.login.updateWtmp = false for declarative containers

### System metadata

- system: "x86_64-linux"
- host os: Linux 6.18.18, NixOS, 26.05 (Yarara), 26.05.20260316.f8573b9
- multi-user?: yes
- sandbox: yes
- version: nix-env (Nix) 2.31.3
- nixpkgs: /nix/store/dgmmhy3y4chhi8w2vj87h7shfxv2adqn-source

### Notify maintainers



---

**Note for maintainers:** Please tag this issue in your pull request description. (i.e. `Resolves #ISSUE`.)


### I assert that this issue is relevant for Nixpkgs

- [x] I assert that this is a bug and not a support request.
- [x] I assert that this is not a [duplicate of an existing issue](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+label%3A%220.kind%3A+bug%22+label%3A%226.topic%3A+nixos%22). 
- [x] I assert that I have read the [NixOS Code of Conduct](https://github.com/NixOS/.github/blob/master/CODE_OF_CONDUCT.md) and agree to abide by it.

### Is this issue important to you?

Add a :+1: [reaction] to [issues you find important].

[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

nixos/containers: pam_lastlog2 breaks machinectl shell inside nspawn containers #501050

Nixpkgs version

Describe the bug

Steps to reproduce

Expected behaviour

Screenshots

Relevant log output

Additional context

System metadata

Notify maintainers

I assert that this issue is relevant for Nixpkgs

Is this issue important to you?

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

nixos/containers: pam_lastlog2 breaks machinectl shell inside nspawn containers #501050

Description

Nixpkgs version

Describe the bug

Steps to reproduce

Expected behaviour

Screenshots

Relevant log output

Additional context

System metadata

Notify maintainers

I assert that this issue is relevant for Nixpkgs

Is this issue important to you?

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions