Looks like there's some issue with fakeroot as pseudousers
created with useradd during package installation have their
/etc/tcb/*/shadow files with proper permissions ($user:auth)
but shadow- and shadow.lock belong to root:root which makes
passwd(1) fail.