What's happening is that utmps-utmpd only checks the value of the
*primary* gid of the client. It does not check supplementary groups.
I agree that it's counter-intuitive, and will see I can fix that.
Unfortunately, no, that's not fixable. The credentials-passing
mechanism used by s6-ipcserverd (the superserver for utmps-utmpd) only
transmits the primary gid, not the supplementary groups; and I'm not
aware of another reasonably portable credentials-passing mechanism,
let alone that transmits supplementary groups - except the suid
mechanism, which, no.
So you're going to have to keep setting your *primary* group to utmp
if you want to modify the utmp database as a regular user. Sorry.