[Bug 2065432] Re: Unable to authenticate with smartcard: gnome-shell throws on unhandled promise rejection

Vladimir Petko 2065432 at bugs.launchpad.net
Thu Sep 19 23:04:31 UTC 2024 

Hi,

There was already a SRU upload for noble
---
gnome-shell (46.0-0ubuntu6~24.04.5) noble; urgency=medium

  * Add shell-app-Warn-instead-of-crashing-if-disposed-before-sta.patch
    to avoid crashing the shell if an app misbehaves coincidentally close
    to a garbage collection run (LP: #2037055)

 -- Daniel van Vugt <daniel.van.vugt at canonical.com>  Fri, 13 Sep 2024 17:09:18 +0800
---

I apologise for imposing extra work, but would it be possible to rebase the patch on the latest upload?
Please resubscribe Sponsors once the patch is ready.

Best Regards, 
 Vladimir.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2065432

Title:
  Unable to authenticate with smartcard: gnome-shell throws on unhandled
  promise rejection

Status in GNOME Shell:
  Fix Released
Status in gnome-shell package in Ubuntu:
  Fix Committed
Status in gnome-shell source package in Noble:
  In Progress

Bug description:
  [Impact]

   * Starting from gnome-shell version 46.0, which is available in noble, logging in to the
     Ubuntu system with smart card does not work.

   * Only workaround is to downgrade gnome-shell to a version 45.0

   * Login problem is caused by two seperate issues, one caused by the bug in the upstream [1],
     second is related to ubuntu specific code added as part of patch:
     gdm-util-Figure-out-default-service-from-service-definiti.patch

   * Upstream issue has been alraedy fixed with [2], issue was caused by feature
     which was checking conflicting sessions during login.

   * To fix login problem, upstream patch needs to be backported as well as
     ubuntu specific code fixed

  [Test Plan]

   * To reproduce an issue, smart card (with at least self signed
  certificate) is required.

   * The simplest steps to reproduce the problem:
     1. Create user "test"
     2. Configure sssd.conf:
       root at rmalz:/etc/sssd# cat sssd.conf
       [sssd]
       services = pam
       enable_files_domain = True
       certificate_verification = no_verification

       [certmap/implicit_files/test]
       matchrule = <SUBJECT>.*

       [pam]
       pam_cert_auth = True
     3. Enable smart card login:
     pam-auth-update --disable sss-smart-card-required --enable sss-smart-card-optional

   * With these settings, login "test" user. Two problems will occurr.
     First, gnome-shell will not prompt for a smart card PIN and will continue to ask for password.
     This is caused by incorrect detection of default auth service, issue introduced with:
     gdm-util-Figure-out-default-service-from-service-definiti.patch

     Second, if first problem is fixed, login screen will freeze. This issue is caused by upstream
     bug [1].

  [Where problems could occur]

   * Upstream patch is changing behavior of finding conflicting
  sessions, possible risk of regression for non smart card cases

   * There is additional patch [3], introduced as part of fix for [1]. It seems that this patch is fixing presentation issue
     which is different from initial login problem and no part of this SRU.

   * Patches for both [2] and gdm-util-Figure-out-default-service-from-service-definiti.patch have been tested locally, allowing
     to login without issues.

  [Other Info]

   * Links:
     [1] - https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7526
     [2] - https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/3448/diffs?commit_id=e5d9a0fec869adbe610c46114afaede04f8c89e2
     [3] - https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/3448/diffs?commit_id=647747fbd6afef2f9f939682ab6527f3877ffbfb

   * Original case description:
  Upstream report: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7526

  Opening as part of response to support ticket.

  After boot, GDM does not prompt for smartcard authentication
  correctly. It is possible to strike Esc and get GDM to prompt for a
  username and a smartcard PIN from the initial locked-out state, but
  this does not start a new desktop session and instead hangs. Striking
  Esc allows for the login to be attempted again, but with the same
  results.

  Syslog entries include unhandled promise rejections from the
  onSessionOpened event in loginDialog, and perhaps more importantly
  also from the user verification stack that is used to create the
  initial authentication options prompt (stack traces of the syslog
  entries attached).

  Affects GDM 46.0-2ubuntu1 in Noble.

  To reproduce, configure smartcard auth for a network user on a new
  Noble install and try to sign in.

To manage notifications about this bug go to:
https://bugs.launchpad.net/gnome-shell/+bug/2065432/+subscriptions

More information about the Ubuntu-sponsors mailing list