** Description changed:
+ [ Impact ]
+
+ In Ubuntu 24.04 and newer, connecting to a new password-protected Wi-Fi
+ network from the log-in screen is not possible because the user never
+ gets prompted for the password; instead, the connection silently fails.
+
+ The log-in screen of Ubuntu Desktop is implemented by running GNOME Shell in
the "greeter" mode.
+ When requesting to connect to a new wifi network, gnome-shell tries to
communicate with the org.freedesktop.secrets service to check whether the
password for this network is already known, but that fails when running in
"greeter" mode because gnome-keyring is registered on one dbus address while
gnome-shell only has access to a dedicated/isolated dbus bus. When this fails,
gnome-shell aborts the connection attempt.
+
+ Because the log-in session runs under a special user "gdm", it will not
+ have any secrets stored as if it were a regular user, so it is pointless
+ to query the org.freedesktop.secrets service. Thus to fix the issue, we
+ implemented a patch that avoids querying org.freedesktop.secrets when
+ running in "greeter" mode altogether and instead always prompt the user
+ to provide a password.
+
+ This solution was accepted by GNOME upstream.
+
+ [ Test Plan ]
+
+ 0. Have a password-protected Wi-Fi network available for testing.
+ 1. Set up an Ubuntu Desktop system on a machine with a Wi-Fi card.
+ 1.1 If already connected to the Wi-Fi network, navigate to Settings to
"Forget Connection..."
+ 2. Reach the log-in screen.
+ 3. Click the status bar to access the quick settings.
+ 4. Click on the ">" arrow to expand the list of Wi-Fi networks.
+ 5. Select the Wi-Fi network you want to use for testing.
+ 6. Verify that you get prompted for the network password.
+ 7. Insert the network password.
+ 8. Verify that the connection succeeded.
+
+ [ Regression Test Plan 1 ]
+
+ Perform the same steps as above from a logged-in user session, rather
+ than from the log-in screen.
+
+ [ Regression Test Plan 2 ]
+
+ Verify that you can connect to an already registered Wi-Fi network from
+ the log-in screen.
+
+ [ Where things could go wrong ]
+
+ The patch modifies the Network Applet in GNOME Shell, a critical component of
Ubuntu Desktop.
+ A grave misbehaviour could manifest with the user being unable to log-in, or
being suddently logged-out of a desktop session in case of a crash.
+ A smaller misbehaviour could affect the network applet functionality only.
The two regression plans will verify that this is not the case.
+
+
+ [ Original description ]
+
Steps to reproduce
1. Create LXD VM desktop-noble
lxc init --vm ubuntu:24.04 desktop-noble
2. Passthrough wifi device, in my case Intel Wifi via PCI works fine, some
USB devices can have problem with initialization
lxc config device add desktop-noble wifipci pci address=<pci_address>
where pci_address is address of your device seen via lspci command, i.e.
00:14.3 Network controller: Intel Corporation Raptor Lake-S PCH CNVi WiFi
(rev 11)
3. lxc start desktop-noble
2. lxc exec desktop-noble bash
3. Install ubuntu-desktop metapackage
apt update
apt install -y ubuntu-desktop
4. Set passwd for ubuntu user
$ passwd ubuntu
5. Disable systemd-networkd-wait-online.service (otherwise it will wait for
timeout)
- systemctl disable --now systemd-networkd-wait-online.service
+ systemctl disable --now systemd-networkd-wait-online.service
6. Connect to the vga console
lxc console --type=vga desktop-noble
Wait for login screen to load
Click on the top-right corner and pick the wifi network you would like to
connect
Expected result
The window will popup to pick the choose the password
The actual result
Nothing happens, yet you will see in the logs:
Feb 11 17:10:35 desktop-noble gnome-shell[1353]: Cursor update failed:
drmModeAtomicCommit: Invalid argument
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Successfully made thread
1376 of process 1353 owned by '124' high priority at nice level 0.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Supervising 8 threads of 5
processes of 1 users.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Supervising 7 threads of 4
processes of 1 users.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Supervising 7 threads of 4
processes of 1 users.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Successfully made thread
1376 of process 1353 owned by '124' RT at priority 20.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Supervising 8 threads of 5
processes of 1 users.
Feb 11 17:10:35 desktop-noble /usr/libexec/gdm-wayland-session[3686]:
discover_other_daemon: 1
Feb 11 17:10:35 desktop-noble /usr/libexec/gdm-wayland-session[1305]:
dbus-daemon[1305]: [session uid=124 pid=1305] Failed to activate service
'org.freedesktop.secrets': timed out (service_start_timeout=120000ms)
Feb 11 17:10:37 desktop-noble kernel: Lockdown: systemd-logind: hibernation
is restricted; see man kernel_lockdown.7
Feb 11 17:10:42 desktop-noble NetworkManager[3727]:
/etc/netplan/50-cloud-init.yaml: Error in network definition: wlp6s0f0: No
access points defined
Feb 11 17:10:42 desktop-noble systemd[1]: Reloading requested from client PID
3729 ('systemctl') (unit NetworkManager.service)...
Feb 11 17:10:42 desktop-noble systemd[1]: Reloading...
Feb 11 17:10:43 desktop-noble systemd[1]: Reloading finished in 112 ms.
Feb 11 17:10:43 desktop-noble systemd[1]: Starting apt-daily.service - Daily
apt download activities...
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0590]
device (wlp6s0f0): Activation: starting connection 'coppernik-guest'
(3c1ce33e-2c09-413b-8713-3d8dbe7e1a28)
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0591]
audit: op="connection-add-activate" uuid="3c1ce33e-2c09-413b-8713-3d8dbe7e1a28"
name="coppernik-guest" pid=1353 uid=124 result="success"
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0592]
device (wlp6s0f0): state change: disconnected -> prepare (reason 'none',
sys-iface-state: 'managed')
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0593]
device (wlp6s0f0): state change: prepare -> config (reason 'none',
sys-iface-state: 'managed')
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0594]
device (wlp6s0f0): Activation: (wifi) access point 'coppernik-guest' has
security, but secrets are required.
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0594]
device (wlp6s0f0): state change: config -> need-auth (reason 'none',
sys-iface-state: 'managed')
Feb 11 17:10:43 desktop-noble /usr/libexec/gdm-wayland-session[1305]:
dbus-daemon[1305]: [session uid=124 pid=1305] Activating service
name='org.freedesktop.secrets' requested by ':1.3' (uid=124 pid=1353
comm="/usr/bin/gnome-shell" label="unconfined")
Feb 11 17:10:43 desktop-noble gnome-keyring-daemon[1929]: The Secret Service
was already initialized
Feb 11 17:10:43 desktop-noble gnome-keyring-daemon[3832]:
discover_other_daemon: 1
Feb 11 17:10:43 desktop-noble /usr/libexec/gdm-wayland-session[3832]:
GNOME_KEYRING_CONTROL=/run/user/124/keyring
Feb 11 17:10:43 desktop-noble gnome-keyring-d[1929]: The Secret Service was
already initialized
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <warn> [1739293868.0662]
device (wlp6s0f0): no secrets: No agents were available for this request.
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <info> [1739293868.0662]
device (wlp6s0f0): state change: need-auth -> failed (reason 'no-secrets',
sys-iface-state: 'managed')
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <warn> [1739293868.0666]
device (wlp6s0f0): Activation: failed for connection 'coppernik-guest'
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <info> [1739293868.0667]
device (wlp6s0f0): state change: failed -> disconnected (reason 'none',
sys-iface-state: 'managed')
Feb 11 17:11:13 desktop-noble systemd-networkd-wait-online[3830]: Timeout
occurred while waiting for network connectivity.
Important part of the log:
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <warn> [1739293868.0662]
device (wlp6s0f0): no secrets: No agents were available for this request.
then 1m35s later:
Feb 11 17:12:43 desktop-noble /usr/libexec/gdm-wayland-session[3832]:
discover_other_daemon: 1
Feb 11 17:12:43 desktop-noble /usr/libexec/gdm-wayland-session[1305]:
dbus-daemon[1305]: [session uid=124 pid=1305] Failed to activate service
'org.freedesktop.secrets': timed out (service_start_timeout=120000ms)
Use-case from the customer
When the user receives the notebook, he needs to connect to his local network
via WiFi. He has to do it at login screen, as his credentials are not stored in
sssd cache yet. At this
point no window is shown to enter the WiFi password. The window would only be
shown _after_ user login (that is not possible due to missing credentials). For
this reason we
need the possibility to enter the WiFi password at login screen. This has
worked at Ubuntu 22 but not on Ubuntu 24 anymore.
I tried to test that in Jammy but I encountered issue
https://bugs.launchpad.net/ubuntu/+source/spice-vdagent/+bug/2098014
I fought the issue might be due to the missing polkit rules
but this seems not to be the case
On other test machine with existing connection I needed to add this rule
so gdm can configure the connection. I need to remove --no-debug flag
from polkit to see when it fails
systemctl edit polkit
# That will be put in /etc/systemd/system/polkit.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/lib/polkit-1/polkitd
Then run
systemctl daemon-reload
# Create the following rule
root@machine:~# cat /etc/polkit-1/rules.d/99-allwifi.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.settings.modify.system"
&&
subject.user == "gdm") {
return polkit.Result.YES;
}
});
systemctl daemon-reload
systemctl restart polkit
Otherwise I was not able to change the connection
Feb 11 17:41:54 earl polkitd[8018]: Error performing authentication:
GDBus.Error:org.freedesktop.PolicyKit1.Error.Cancelled: Authentication dialog
was dismissed by the user (polkit-error-quark 1)
Feb 11 17:41:54 earl polkitd[8018]: 17:41:54.934: Operator of unix-session:c1
FAILED to authenticate to gain authorization for action
org.freedesktop.NetworkManager.settings.modify.system for unix-process:2412:921
[/usr/bin/gnome-shell] (owned by unix-user:gdm)
Feb 11 17:41:54 earl polkitd[8018]: Operator of unix-session:c1 FAILED to
authenticate to gain authorization for action
org.freedesktop.NetworkManager.settings.modify.system for unix-process:2412:921
[/usr/bin/gnome-shell] (owned by unix-user:gdm)
Some relevant links:
How to set polkitd-1 rules since 23.10
https://askubuntu.com/questions/1291512/authentication-required-system-policy-prevents-wifi-scans-in-focalfossa
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: gdm3 46.2-1ubuntu1~24.04.1
ProcVersionSignature: Ubuntu 6.8.0-52.53-generic 6.8.12
Uname: Linux 6.8.0-52-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.3
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudBuildName: server
CloudID: lxd
CloudName: lxd
CloudPlatform: lxd
CloudSerial: 20250115
CloudSubPlatform: LXD socket API v. 1.0 (/dev/lxd/sock)
Date: Tue Feb 11 15:20:39 2025
ProcEnviron:
LANG=C.UTF-8
PATH=(custom, no user)
TERM=xterm-256color
SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install)
** Description changed:
[ Impact ]
In Ubuntu 24.04 and newer, connecting to a new password-protected Wi-Fi
network from the log-in screen is not possible because the user never
gets prompted for the password; instead, the connection silently fails.
The log-in screen of Ubuntu Desktop is implemented by running GNOME Shell in
the "greeter" mode.
When requesting to connect to a new wifi network, gnome-shell tries to
communicate with the org.freedesktop.secrets service to check whether the
password for this network is already known, but that fails when running in
"greeter" mode because gnome-keyring is registered on one dbus address while
gnome-shell only has access to a dedicated/isolated dbus bus. When this fails,
gnome-shell aborts the connection attempt.
Because the log-in session runs under a special user "gdm", it will not
have any secrets stored as if it were a regular user, so it is pointless
to query the org.freedesktop.secrets service. Thus to fix the issue, we
implemented a patch that avoids querying org.freedesktop.secrets when
running in "greeter" mode altogether and instead always prompt the user
to provide a password.
- This solution was accepted by GNOME upstream.
+ This solution was accepted by GNOME upstream:
+ https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/3646
[ Test Plan ]
0. Have a password-protected Wi-Fi network available for testing.
1. Set up an Ubuntu Desktop system on a machine with a Wi-Fi card.
1.1 If already connected to the Wi-Fi network, navigate to Settings to
"Forget Connection..."
2. Reach the log-in screen.
3. Click the status bar to access the quick settings.
4. Click on the ">" arrow to expand the list of Wi-Fi networks.
5. Select the Wi-Fi network you want to use for testing.
6. Verify that you get prompted for the network password.
7. Insert the network password.
8. Verify that the connection succeeded.
[ Regression Test Plan 1 ]
Perform the same steps as above from a logged-in user session, rather
than from the log-in screen.
[ Regression Test Plan 2 ]
Verify that you can connect to an already registered Wi-Fi network from
the log-in screen.
[ Where things could go wrong ]
The patch modifies the Network Applet in GNOME Shell, a critical component of
Ubuntu Desktop.
A grave misbehaviour could manifest with the user being unable to log-in, or
being suddently logged-out of a desktop session in case of a crash.
A smaller misbehaviour could affect the network applet functionality only.
The two regression plans will verify that this is not the case.
-
[ Original description ]
Steps to reproduce
1. Create LXD VM desktop-noble
lxc init --vm ubuntu:24.04 desktop-noble
2. Passthrough wifi device, in my case Intel Wifi via PCI works fine, some
USB devices can have problem with initialization
lxc config device add desktop-noble wifipci pci address=<pci_address>
where pci_address is address of your device seen via lspci command, i.e.
00:14.3 Network controller: Intel Corporation Raptor Lake-S PCH CNVi WiFi
(rev 11)
3. lxc start desktop-noble
2. lxc exec desktop-noble bash
3. Install ubuntu-desktop metapackage
apt update
apt install -y ubuntu-desktop
4. Set passwd for ubuntu user
$ passwd ubuntu
5. Disable systemd-networkd-wait-online.service (otherwise it will wait for
timeout)
systemctl disable --now systemd-networkd-wait-online.service
6. Connect to the vga console
lxc console --type=vga desktop-noble
Wait for login screen to load
Click on the top-right corner and pick the wifi network you would like to
connect
Expected result
The window will popup to pick the choose the password
The actual result
Nothing happens, yet you will see in the logs:
Feb 11 17:10:35 desktop-noble gnome-shell[1353]: Cursor update failed:
drmModeAtomicCommit: Invalid argument
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Successfully made thread
1376 of process 1353 owned by '124' high priority at nice level 0.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Supervising 8 threads of 5
processes of 1 users.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Supervising 7 threads of 4
processes of 1 users.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Supervising 7 threads of 4
processes of 1 users.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Successfully made thread
1376 of process 1353 owned by '124' RT at priority 20.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Supervising 8 threads of 5
processes of 1 users.
Feb 11 17:10:35 desktop-noble /usr/libexec/gdm-wayland-session[3686]:
discover_other_daemon: 1
Feb 11 17:10:35 desktop-noble /usr/libexec/gdm-wayland-session[1305]:
dbus-daemon[1305]: [session uid=124 pid=1305] Failed to activate service
'org.freedesktop.secrets': timed out (service_start_timeout=120000ms)
Feb 11 17:10:37 desktop-noble kernel: Lockdown: systemd-logind: hibernation
is restricted; see man kernel_lockdown.7
Feb 11 17:10:42 desktop-noble NetworkManager[3727]:
/etc/netplan/50-cloud-init.yaml: Error in network definition: wlp6s0f0: No
access points defined
Feb 11 17:10:42 desktop-noble systemd[1]: Reloading requested from client PID
3729 ('systemctl') (unit NetworkManager.service)...
Feb 11 17:10:42 desktop-noble systemd[1]: Reloading...
Feb 11 17:10:43 desktop-noble systemd[1]: Reloading finished in 112 ms.
Feb 11 17:10:43 desktop-noble systemd[1]: Starting apt-daily.service - Daily
apt download activities...
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0590]
device (wlp6s0f0): Activation: starting connection 'coppernik-guest'
(3c1ce33e-2c09-413b-8713-3d8dbe7e1a28)
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0591]
audit: op="connection-add-activate" uuid="3c1ce33e-2c09-413b-8713-3d8dbe7e1a28"
name="coppernik-guest" pid=1353 uid=124 result="success"
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0592]
device (wlp6s0f0): state change: disconnected -> prepare (reason 'none',
sys-iface-state: 'managed')
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0593]
device (wlp6s0f0): state change: prepare -> config (reason 'none',
sys-iface-state: 'managed')
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0594]
device (wlp6s0f0): Activation: (wifi) access point 'coppernik-guest' has
security, but secrets are required.
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0594]
device (wlp6s0f0): state change: config -> need-auth (reason 'none',
sys-iface-state: 'managed')
Feb 11 17:10:43 desktop-noble /usr/libexec/gdm-wayland-session[1305]:
dbus-daemon[1305]: [session uid=124 pid=1305] Activating service
name='org.freedesktop.secrets' requested by ':1.3' (uid=124 pid=1353
comm="/usr/bin/gnome-shell" label="unconfined")
Feb 11 17:10:43 desktop-noble gnome-keyring-daemon[1929]: The Secret Service
was already initialized
Feb 11 17:10:43 desktop-noble gnome-keyring-daemon[3832]:
discover_other_daemon: 1
Feb 11 17:10:43 desktop-noble /usr/libexec/gdm-wayland-session[3832]:
GNOME_KEYRING_CONTROL=/run/user/124/keyring
Feb 11 17:10:43 desktop-noble gnome-keyring-d[1929]: The Secret Service was
already initialized
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <warn> [1739293868.0662]
device (wlp6s0f0): no secrets: No agents were available for this request.
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <info> [1739293868.0662]
device (wlp6s0f0): state change: need-auth -> failed (reason 'no-secrets',
sys-iface-state: 'managed')
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <warn> [1739293868.0666]
device (wlp6s0f0): Activation: failed for connection 'coppernik-guest'
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <info> [1739293868.0667]
device (wlp6s0f0): state change: failed -> disconnected (reason 'none',
sys-iface-state: 'managed')
Feb 11 17:11:13 desktop-noble systemd-networkd-wait-online[3830]: Timeout
occurred while waiting for network connectivity.
Important part of the log:
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <warn> [1739293868.0662]
device (wlp6s0f0): no secrets: No agents were available for this request.
then 1m35s later:
Feb 11 17:12:43 desktop-noble /usr/libexec/gdm-wayland-session[3832]:
discover_other_daemon: 1
Feb 11 17:12:43 desktop-noble /usr/libexec/gdm-wayland-session[1305]:
dbus-daemon[1305]: [session uid=124 pid=1305] Failed to activate service
'org.freedesktop.secrets': timed out (service_start_timeout=120000ms)
Use-case from the customer
When the user receives the notebook, he needs to connect to his local network
via WiFi. He has to do it at login screen, as his credentials are not stored in
sssd cache yet. At this
point no window is shown to enter the WiFi password. The window would only be
shown _after_ user login (that is not possible due to missing credentials). For
this reason we
need the possibility to enter the WiFi password at login screen. This has
worked at Ubuntu 22 but not on Ubuntu 24 anymore.
I tried to test that in Jammy but I encountered issue
https://bugs.launchpad.net/ubuntu/+source/spice-vdagent/+bug/2098014
I fought the issue might be due to the missing polkit rules
but this seems not to be the case
On other test machine with existing connection I needed to add this rule
so gdm can configure the connection. I need to remove --no-debug flag
from polkit to see when it fails
systemctl edit polkit
# That will be put in /etc/systemd/system/polkit.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/lib/polkit-1/polkitd
Then run
systemctl daemon-reload
# Create the following rule
root@machine:~# cat /etc/polkit-1/rules.d/99-allwifi.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.settings.modify.system"
&&
subject.user == "gdm") {
return polkit.Result.YES;
}
});
systemctl daemon-reload
systemctl restart polkit
Otherwise I was not able to change the connection
Feb 11 17:41:54 earl polkitd[8018]: Error performing authentication:
GDBus.Error:org.freedesktop.PolicyKit1.Error.Cancelled: Authentication dialog
was dismissed by the user (polkit-error-quark 1)
Feb 11 17:41:54 earl polkitd[8018]: 17:41:54.934: Operator of unix-session:c1
FAILED to authenticate to gain authorization for action
org.freedesktop.NetworkManager.settings.modify.system for unix-process:2412:921
[/usr/bin/gnome-shell] (owned by unix-user:gdm)
Feb 11 17:41:54 earl polkitd[8018]: Operator of unix-session:c1 FAILED to
authenticate to gain authorization for action
org.freedesktop.NetworkManager.settings.modify.system for unix-process:2412:921
[/usr/bin/gnome-shell] (owned by unix-user:gdm)
Some relevant links:
How to set polkitd-1 rules since 23.10
https://askubuntu.com/questions/1291512/authentication-required-system-policy-prevents-wifi-scans-in-focalfossa
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: gdm3 46.2-1ubuntu1~24.04.1
ProcVersionSignature: Ubuntu 6.8.0-52.53-generic 6.8.12
Uname: Linux 6.8.0-52-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.3
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudBuildName: server
CloudID: lxd
CloudName: lxd
CloudPlatform: lxd
CloudSerial: 20250115
CloudSubPlatform: LXD socket API v. 1.0 (/dev/lxd/sock)
Date: Tue Feb 11 15:20:39 2025
ProcEnviron:
LANG=C.UTF-8
PATH=(custom, no user)
TERM=xterm-256color
SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-shell in Ubuntu.
https://bugs.launchpad.net/bugs/2098016
Title:
Ubuntu 24.04 WiFi from gdm3 login screen: cannot select new network
Status in gdm3 package in Ubuntu:
Fix Committed
Status in gnome-shell package in Ubuntu:
Fix Committed
Status in gdm3 source package in Noble:
Opinion
Status in gnome-shell source package in Noble:
In Progress
Status in gdm3 source package in Oracular:
Opinion
Status in gnome-shell source package in Oracular:
In Progress
Bug description:
[ Impact ]
In Ubuntu 24.04 and newer, connecting to a new password-protected Wi-
Fi network from the log-in screen is not possible because the user
never gets prompted for the password; instead, the connection silently
fails.
The log-in screen of Ubuntu Desktop is implemented by running GNOME Shell in
the "greeter" mode.
When requesting to connect to a new wifi network, gnome-shell tries to
communicate with the org.freedesktop.secrets service to check whether the
password for this network is already known, but that fails when running in
"greeter" mode because gnome-keyring is registered on one dbus address while
gnome-shell only has access to a dedicated/isolated dbus bus. When this fails,
gnome-shell aborts the connection attempt.
Because the log-in session runs under a special user "gdm", it will
not have any secrets stored as if it were a regular user, so it is
pointless to query the org.freedesktop.secrets service. Thus to fix
the issue, we implemented a patch that avoids querying
org.freedesktop.secrets when running in "greeter" mode altogether and
instead always prompt the user to provide a password.
This solution was accepted by GNOME upstream:
https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/3646
[ Test Plan ]
0. Have a password-protected Wi-Fi network available for testing.
1. Set up an Ubuntu Desktop system on a machine with a Wi-Fi card.
1.1 If this system is already connected to the Wi-Fi network you will be
using for testing, navigate to Settings to "Forget Connection..."
2. Reach the log-in screen.
3. Click the status bar on the top-right corner to access the quick settings.
4. Click on the ">" arrow to expand the list of Wi-Fi networks.
5. Select the Wi-Fi network you want to use for testing.
6. Verify that you get prompted for the network password.
7. Insert the network password.
8. Verify that the connection succeeded.
NOTE: In order for the Wi-Fi network to still be usable after log-in, you
will need to allow the "gdm" user to modify the system-wide network settings
with a polkit rule like so:
https://gitlab.gnome.org/GNOME/gdm/-/raw/288df842e8b76efa53a115835933f3901d064122/data/polkit-gdm.rules.in
We are going to start allowing this by default in plucky, but is outside of
the scope of this SRU.
[ Regression Test Plan 1 ]
Perform the same steps as above from a logged-in user session, rather
than from the log-in screen.
[ Regression Test Plan 2 ]
Verify that you can connect to an already registered Wi-Fi network
from the log-in screen.
[ Where things could go wrong ]
The patch modifies the Network Applet in GNOME Shell, a critical component of
Ubuntu Desktop.
A grave misbehaviour could manifest with the user being unable to log-in, or
being suddently logged-out of a desktop session in case of a crash.
A smaller misbehaviour could affect the network applet functionality only.
The two regression plans will verify that this is not the case.
[ Original description ]
Steps to reproduce
1. Create LXD VM desktop-noble
lxc init --vm ubuntu:24.04 desktop-noble
2. Passthrough wifi device, in my case Intel Wifi via PCI works fine, some
USB devices can have problem with initialization
lxc config device add desktop-noble wifipci pci address=<pci_address>
where pci_address is address of your device seen via lspci command, i.e.
00:14.3 Network controller: Intel Corporation Raptor Lake-S PCH CNVi WiFi
(rev 11)
3. lxc start desktop-noble
2. lxc exec desktop-noble bash
3. Install ubuntu-desktop metapackage
apt update
apt install -y ubuntu-desktop
4. Set passwd for ubuntu user
$ passwd ubuntu
5. Disable systemd-networkd-wait-online.service (otherwise it will wait for
timeout)
systemctl disable --now systemd-networkd-wait-online.service
6. Connect to the vga console
lxc console --type=vga desktop-noble
Wait for login screen to load
Click on the top-right corner and pick the wifi network you would like to
connect
Expected result
The window will popup to pick the choose the password
The actual result
Nothing happens, yet you will see in the logs:
Feb 11 17:10:35 desktop-noble gnome-shell[1353]: Cursor update failed:
drmModeAtomicCommit: Invalid argument
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Successfully made thread
1376 of process 1353 owned by '124' high priority at nice level 0.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Supervising 8 threads of 5
processes of 1 users.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Supervising 7 threads of 4
processes of 1 users.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Supervising 7 threads of 4
processes of 1 users.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Successfully made thread
1376 of process 1353 owned by '124' RT at priority 20.
Feb 11 17:10:35 desktop-noble rtkit-daemon[1312]: Supervising 8 threads of 5
processes of 1 users.
Feb 11 17:10:35 desktop-noble /usr/libexec/gdm-wayland-session[3686]:
discover_other_daemon: 1
Feb 11 17:10:35 desktop-noble /usr/libexec/gdm-wayland-session[1305]:
dbus-daemon[1305]: [session uid=124 pid=1305] Failed to activate service
'org.freedesktop.secrets': timed out (service_start_timeout=120000ms)
Feb 11 17:10:37 desktop-noble kernel: Lockdown: systemd-logind: hibernation
is restricted; see man kernel_lockdown.7
Feb 11 17:10:42 desktop-noble NetworkManager[3727]:
/etc/netplan/50-cloud-init.yaml: Error in network definition: wlp6s0f0: No
access points defined
Feb 11 17:10:42 desktop-noble systemd[1]: Reloading requested from client PID
3729 ('systemctl') (unit NetworkManager.service)...
Feb 11 17:10:42 desktop-noble systemd[1]: Reloading...
Feb 11 17:10:43 desktop-noble systemd[1]: Reloading finished in 112 ms.
Feb 11 17:10:43 desktop-noble systemd[1]: Starting apt-daily.service - Daily
apt download activities...
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0590]
device (wlp6s0f0): Activation: starting connection 'coppernik-guest'
(3c1ce33e-2c09-413b-8713-3d8dbe7e1a28)
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0591]
audit: op="connection-add-activate" uuid="3c1ce33e-2c09-413b-8713-3d8dbe7e1a28"
name="coppernik-guest" pid=1353 uid=124 result="success"
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0592]
device (wlp6s0f0): state change: disconnected -> prepare (reason 'none',
sys-iface-state: 'managed')
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0593]
device (wlp6s0f0): state change: prepare -> config (reason 'none',
sys-iface-state: 'managed')
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0594]
device (wlp6s0f0): Activation: (wifi) access point 'coppernik-guest' has
security, but secrets are required.
Feb 11 17:10:43 desktop-noble NetworkManager[1966]: <info> [1739293843.0594]
device (wlp6s0f0): state change: config -> need-auth (reason 'none',
sys-iface-state: 'managed')
Feb 11 17:10:43 desktop-noble /usr/libexec/gdm-wayland-session[1305]:
dbus-daemon[1305]: [session uid=124 pid=1305] Activating service
name='org.freedesktop.secrets' requested by ':1.3' (uid=124 pid=1353
comm="/usr/bin/gnome-shell" label="unconfined")
Feb 11 17:10:43 desktop-noble gnome-keyring-daemon[1929]: The Secret Service
was already initialized
Feb 11 17:10:43 desktop-noble gnome-keyring-daemon[3832]:
discover_other_daemon: 1
Feb 11 17:10:43 desktop-noble /usr/libexec/gdm-wayland-session[3832]:
GNOME_KEYRING_CONTROL=/run/user/124/keyring
Feb 11 17:10:43 desktop-noble gnome-keyring-d[1929]: The Secret Service was
already initialized
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <warn> [1739293868.0662]
device (wlp6s0f0): no secrets: No agents were available for this request.
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <info> [1739293868.0662]
device (wlp6s0f0): state change: need-auth -> failed (reason 'no-secrets',
sys-iface-state: 'managed')
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <warn> [1739293868.0666]
device (wlp6s0f0): Activation: failed for connection 'coppernik-guest'
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <info> [1739293868.0667]
device (wlp6s0f0): state change: failed -> disconnected (reason 'none',
sys-iface-state: 'managed')
Feb 11 17:11:13 desktop-noble systemd-networkd-wait-online[3830]: Timeout
occurred while waiting for network connectivity.
Important part of the log:
Feb 11 17:11:08 desktop-noble NetworkManager[1966]: <warn> [1739293868.0662]
device (wlp6s0f0): no secrets: No agents were available for this request.
then 1m35s later:
Feb 11 17:12:43 desktop-noble /usr/libexec/gdm-wayland-session[3832]:
discover_other_daemon: 1
Feb 11 17:12:43 desktop-noble /usr/libexec/gdm-wayland-session[1305]:
dbus-daemon[1305]: [session uid=124 pid=1305] Failed to activate service
'org.freedesktop.secrets': timed out (service_start_timeout=120000ms)
Use-case from the customer
When the user receives the notebook, he needs to connect to his local network
via WiFi. He has to do it at login screen, as his credentials are not stored in
sssd cache yet. At this
point no window is shown to enter the WiFi password. The window would only be
shown _after_ user login (that is not possible due to missing credentials). For
this reason we
need the possibility to enter the WiFi password at login screen. This has
worked at Ubuntu 22 but not on Ubuntu 24 anymore.
I tried to test that in Jammy but I encountered issue
https://bugs.launchpad.net/ubuntu/+source/spice-vdagent/+bug/2098014
I fought the issue might be due to the missing polkit rules
but this seems not to be the case
On other test machine with existing connection I needed to add this
rule so gdm can configure the connection. I need to remove --no-debug
flag from polkit to see when it fails
systemctl edit polkit
# That will be put in /etc/systemd/system/polkit.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/lib/polkit-1/polkitd
Then run
systemctl daemon-reload
# Create the following rule
root@machine:~# cat /etc/polkit-1/rules.d/99-allwifi.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.settings.modify.system"
&&
subject.user == "gdm") {
return polkit.Result.YES;
}
});
systemctl daemon-reload
systemctl restart polkit
Otherwise I was not able to change the connection
Feb 11 17:41:54 earl polkitd[8018]: Error performing authentication:
GDBus.Error:org.freedesktop.PolicyKit1.Error.Cancelled: Authentication dialog
was dismissed by the user (polkit-error-quark 1)
Feb 11 17:41:54 earl polkitd[8018]: 17:41:54.934: Operator of unix-session:c1
FAILED to authenticate to gain authorization for action
org.freedesktop.NetworkManager.settings.modify.system for unix-process:2412:921
[/usr/bin/gnome-shell] (owned by unix-user:gdm)
Feb 11 17:41:54 earl polkitd[8018]: Operator of unix-session:c1 FAILED to
authenticate to gain authorization for action
org.freedesktop.NetworkManager.settings.modify.system for unix-process:2412:921
[/usr/bin/gnome-shell] (owned by unix-user:gdm)
Some relevant links:
How to set polkitd-1 rules since 23.10
https://askubuntu.com/questions/1291512/authentication-required-system-policy-prevents-wifi-scans-in-focalfossa
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: gdm3 46.2-1ubuntu1~24.04.1
ProcVersionSignature: Ubuntu 6.8.0-52.53-generic 6.8.12
Uname: Linux 6.8.0-52-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.3
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudBuildName: server
CloudID: lxd
CloudName: lxd
CloudPlatform: lxd
CloudSerial: 20250115
CloudSubPlatform: LXD socket API v. 1.0 (/dev/lxd/sock)
Date: Tue Feb 11 15:20:39 2025
ProcEnviron:
LANG=C.UTF-8
PATH=(custom, no user)
TERM=xterm-256color
SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/2098016/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
