Constant Authentication Required dialogues
https://askubuntu.com/questions/1560223/constant-authentication-required-dialogues
I get these Authentication Required dialogues all the time, at startup for enabling the Wifi, for any other Wifi action (even Wifi scanning), also for automatic suspending the system, and for many other things.
Specifically, it says:
Window title: Authentication Required - PolicyKit1 KDE Agent
Title: System policy prevents control of network connections
An application is attempting to perform an action that requires privileges. Authentication is required to perform this action.
Action: Allow control of network connections
ID: org.freedesktop.NetworkManager.network-control
Vendor: NetworkManager

I'm on Ubuntu 24.04 with KDE. This isn't too unusual, or is it?
Is this normal? Do others also see this in KDE? Is this related to KDE?
This system has been through several Ubuntu upgrades over the years. I think I started maybe with Ubuntu 16 (not sure...). Some left-over older configs might be the cause? Or some not-correctly-updated configs?
Note: I don't want to edit some files and do some custom edits. For many of the suggestions that one can find when searching for this problem, it is often suggested to write some custom polkit rule which would avoid the authentication. But I assume with the default Ubuntu configuration, I should not see this (right?). So, I don't want to write custom configs. I just want to get back the original Ubuntu configurations where I would not see this.
I already investigated quite a bit:
/etc/network/interfaces does not exist. There is nothing left over there from an older Ubuntu.
loginctl show-session $XDG_SESSION_ID -p Active gives Active=yes.
/etc/NetworkManager/NetworkManager.conf is correct.
I have policykit-desktop-privileges installed.
I have kubuntu-settings-desktop installed.
journalctl -b --no-pager | grep polkitd showed:
Nov 27 10:32:41 ... polkitd[2584]: Identity 'unix-group:admin' is not valid, ignoring: No UNIX group with name admin: Success
There was no admin user. But this comes from a rule which is also present in the latest polkit package. I also tried to create such an admin group, but this does not really change anything.
My user account is (and always was) part of the sudo and netdev groups.
/etc/polkit-1/ just contains some empty directories, no files.
/usr/share/polkit-1/ has some relevant files. E.g. /usr/share/polkit-1/rules.d/49-ubuntu-admin.rules:
polkit.addAdminRule(function(action, subject) {
return ["unix-group:sudo", "unix-group:admin"];
});
/usr/share/polkit-1/rules.d/50-default.rules:
polkit.addAdminRule(function(action, subject) {
return ["unix-group:sudo"];
});
/usr/share/polkit-1/rules.d/org.freedesktop.NetworkManager.rules:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
subject.local && subject.active &&
(subject.isInGroup ("sudo") || subject.isInGroup ("netdev"))) {
return polkit.Result.YES;
}
});
/usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy:
...
<action id="org.freedesktop.NetworkManager.network-control">
...
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
...
/var/lib/polkit-1 maybe has some relevant files. E.g. /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla. I also installed polkitd-pkla now.
I searched for *.dpkg-dist or *.dpkg-new files but there are basically none.
I did sudo apt install --reinstall -o Dpkg::Options::="--force-confmiss" -o Dpkg::Options::="--force-confnew" network-manager
I was also testing with pkcheck.
I was now testing for some other unrelated action ID which should work without password (right?):
$ pkcheck --action-id org.freedesktop.login1.power-off --process $fish_pid --allow-user-interaction
polkit\56retains_authorization_after_challenge=true
Not authorized.
I was wondering how much the process ID matters here? So I was checking my process tree (ps --forest -u $(whoami) -o pid,comm,args):
PID COMMAND COMMAND
34507 smbd[192.168.0. smbd: client [192.168.0.177]
3330 startplasma-x11 /usr/bin/startplasma-x11
3395 \_ ssh-agent \_ /usr/bin/ssh-agent /usr/bin/im-launch /usr/bin/startplasma-x11
3424 ibus-x11 /usr/libexec/ibus-x11 --kill-daemon
3412 ibus-daemon /usr/bin/ibus-daemon --daemonize --xim
3417 \_ ibus-memcon \_ /usr/libexec/ibus-memconf
3418 \_ ibus-ui-gtk \_ /usr/libexec/ibus-ui-gtk3
3419 \_ ibus-extens \_ /usr/libexec/ibus-extension-gtk3
3452 \_ ibus-engine \_ /usr/libexec/ibus-engine-simple
3075 systemd /usr/lib/systemd/systemd --user
3086 \_ (sd-pam) \_ (sd-pam)
3135 \_ pipewire \_ /usr/bin/pipewire
3136 \_ pipewire \_ /usr/bin/pipewire -c filter-chain.conf
3139 \_ wireplumber \_ /usr/bin/wireplumber
3140 \_ pipewire-pu \_ /usr/bin/pipewire-pulse
3144 \_ dbus-daemon \_ /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
3208 \_ gvfsd \_ /usr/libexec/gvfsd
3270 \_ at-spi-bus- \_ /usr/libexec/at-spi-bus-launcher
3279 | \_ dbus-da | \_ /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-add
3294 \_ at-spi2-reg \_ /usr/libexec/at-spi2-registryd --use-gnome-session
3427 \_ ibus-portal \_ /usr/libexec/ibus-portal
3441 \_ xdg-desktop \_ /usr/libexec/xdg-desktop-portal
3450 \_ xdg-documen \_ /usr/libexec/xdg-document-portal
3457 \_ xdg-permiss \_ /usr/libexec/xdg-permission-store
3474 \_ xdg-desktop \_ /usr/libexec/xdg-desktop-portal-gtk
3492 \_ xdg-desktop \_ /usr/lib/x86_64-linux-gnu/libexec/xdg-desktop-portal-kde
3513 \_ gcr-ssh-age \_ /usr/libexec/gcr-ssh-agent --base-dir /run/user/1000/gcr
3514 \_ gnome-keyri \_ /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/1000/
3552 \_ ksmserver \_ /usr/bin/ksmserver
4280 | \_ zotero | \_ /bin/bash /usr/lib/zotero/zotero --sm-client-id 1016718dcae8000168634830500000033120016
4283 | | \_ zot | | \_ /usr/lib/zotero/zotero-bin -app /usr/lib/zotero/app/application.ini --sm-client-id 1016718dcae8000
4538 | | Soc | | \_ /usr/lib/zotero/zotero-bin -contentproc -parentBuildID 20240801134912 -prefsLen 21171 -prefMap
4292 | \_ konsole | \_ /usr/bin/konsole -session 1016718dcae8000162807638200000022750012_1764251546_625764
4664 | \_ fis | \_ fish
4671 | \_ fis | \_ fish
71157 | | ps | | \_ ps --forest -u az -o pid,comm,args
4673 | \_ fis | \_ fish
5842 | \_ fis | \_ fish
5894 | | mos | | \_ mosh-client -# i6-direct | 137.226.36.158 60015
63750 | \_ fis | \_ fish
3554 \_ kded5 \_ /usr/bin/kded5
3555 \_ kwin_x11 \_ /usr/bin/kwin_x11 --replace
3579 \_ kglobalacce \_ /usr/bin/kglobalaccel5
3585 \_ plasmashell \_ /usr/bin/plasmashell --no-respawn
6577 | \_ chrome | \_ /opt/google/chrome/chrome
6582 | \_ cat | \_ cat
6583 | \_ cat | \_ cat
6593 | \_ chr | \_ /opt/google/chrome/chrome --type=zygote --no-zygote-sandbox --string-annotations --crashpad-handle
6631 | | chr | | \_ /opt/google/chrome/chrome --type=gpu-process --string-annotations --crashpad-handler-pid=6585
6787 | | chr | | \_ /opt/google/chrome/chrome --type=broker
6594 | \_ chr | \_ /opt/google/chrome/chrome --type=zygote --string-annotations --crashpad-handler-pid=6585 --enable-
6597 | | chr | | \_ /opt/google/chrome/chrome --type=zygote --string-annotations --crashpad-handler-pid=6585 --ena
6635 | | chr | | \_ /opt/google/chrome/chrome --type=utility --utility-sub-type=storage.mojom.StorageService -
6658 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
6659 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
6691 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
6700 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
6722 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
6795 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
6868 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
6899 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
7019 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
7584 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
63649 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
66434 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
67100 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
70967 | | chr | | \_ /opt/google/chrome/chrome --type=renderer --string-annotations --crashpad-handler-pid=6585
6633 | \_ chr | \_ /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en
6990 | \_ chr | \_ /opt/google/chrome/chrome --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US
3648 \_ kactivityma \_ /usr/lib/x86_64-linux-gnu/libexec/kactivitymanagerd
3653 \_ dconf-servi \_ /usr/libexec/dconf-service
3661 \_ gmenudbusme \_ /usr/bin/gmenudbusmenuproxy
3662 \_ polkit-kde- \_ /usr/lib/x86_64-linux-gnu/libexec/polkit-kde-authentication-agent-1
3663 \_ org_kde_pow \_ /usr/lib/x86_64-linux-gnu/libexec/org_kde_powerdevil
3664 \_ xembedsnipr \_ /usr/bin/xembedsniproxy
3899 \_ xsettingsd \_ /usr/bin/xsettingsd
3906 \_ kscreen_bac \_ /usr/lib/x86_64-linux-gnu/libexec/kf5/kscreen_backend_launcher
3957 \_ caffeine \_ /usr/bin/python3 /usr/bin/caffeine
3971 \_ jetbrains-t \_ /home/az/.local/share/JetBrains/Toolbox/bin/jetbrains-toolbox --minimize
3992 \_ kdeconnectd \_ /usr/lib/x86_64-linux-gnu/libexec/kdeconnectd
4005 \_ slack \_ /usr/lib/slack/slack
4125 | \_ slack | \_ /usr/lib/slack/slack --type=zygote --no-zygote-sandbox
4227 | | \_ sla | | \_ /usr/lib/slack/slack --type=gpu-process --crashpad-handler-pid=4187 --enable-crash-reporter=6e3d50
4456 | | sla | | \_ /usr/lib/slack/slack --type=broker
4126 | \_ slack | \_ /usr/lib/slack/slack --type=zygote
4144 | | \_ sla | | \_ /usr/lib/slack/slack --type=zygote
4593 | | sla | | \_ /usr/lib/slack/slack --type=renderer --crashpad-handler-pid=4187 --enable-crash-reporter=6e3d5
4231 | \_ slack | \_ /usr/lib/slack/slack --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --ser
4961 | \_ slack | \_ /usr/lib/slack/slack --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service
4041 \_ agent \_ /usr/libexec/geoclue-2.0/demos/agent
4045 \_ kaccess \_ /usr/bin/kaccess
4056 \_ DiscoverNot \_ /usr/lib/x86_64-linux-gnu/libexec/DiscoverNotifier
4082 \_ obexd \_ /usr/libexec/bluetooth/obexd
4187 \_ chrome_cras \_ /usr/lib/slack/chrome_crashpad_handler --monitor-self-annotation=ptype=crashpad-handler --no-upload-gzip -
4233 \_ kwalletd5 \_ /usr/bin/kwalletd5
4352 \_ gpg-agent \_ /usr/bin/gpg-agent --supervised
6201 \_ python3 \_ python3 /home/az/Programmierung/userspace-mouse-scroll-wheel-acceleration/main.py
6585 \_ chrome_cras \_ /opt/google/chrome/chrome_crashpad_handler --monitor-self --monitor-self-annotation=ptype=crashpad-handler
6587 \_ chrome_cras \_ /opt/google/chrome/chrome_crashpad_handler --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-ha
61224 \_ spectacle \_ /usr/bin/spectacle --dbus
3038 chrome-remote-d /usr/bin/python3 /opt/google/chrome-remote-desktop/chrome-remote-desktop --child-process --config=/home/az/.co
3138 \_ (sd-pam) \_ (sd-pam)
3195 \_ pipewire \_ pipewire -c /run/user/1000/crd_audio#_soK6AZs6k/pipewire.conf
3196 \_ pipewire \_ pipewire -c /run/user/1000/crd_audio#_soK6AZs6k/pipewire-pulse.conf
3197 \_ wireplumber \_ wireplumber -c /run/user/1000/crd_audio#_soK6AZs6k/wireplumber.conf
3206 \_ Xorg \_ /usr/lib/xorg/Xorg :20 -auth /home/az/.Xauthority -nolisten tcp -noreset -logfile /dev/null -verbose 3 -co
3265 \_ chrome-remo \_ /opt/google/chrome-remote-desktop/chrome-remote-desktop-host --type=xsession_chooser
3267 \_ chrome-remo \_ /opt/google/chrome-remote-desktop/chrome-remote-desktop-host --host-config=- --audio-pipe-name=/run/user/1
The shell did not work. kwin_x11 did not work. kded5 did not work. systemd did not work. But interestingly, the startplasma-x11 did work? I.e. pkcheck --action-id org.freedesktop.login1.power-off --process 3330 returned with exit code 0.
Hm, loginctl session-status looks weird?
$ loginctl session-status
c1 - az (1000)
Since: Thu 2025-11-27 14:54:16 CET; 23h ago
Leader: 3038 (chrome-remote-d)
TTY: chrome-remote-desktop
Service: chrome-remote-desktop; type x11; class user
State: active
Unit: session-c1.scope
├─3038 /usr/bin/python3 /opt/google/chrome-remote-desktop/chrome-remote-desktop --child-process --config=/home/az/.config/chrome-remote-d>
├─3138 "(sd-pam)"
├─3195 pipewire -c /run/user/1000/crd_audio#_soK6AZs6k/pipewire.conf
├─3196 pipewire -c /run/user/1000/crd_audio#_soK6AZs6k/pipewire-pulse.conf
├─3197 wireplumber -c /run/user/1000/crd_audio#_soK6AZs6k/wireplumber.conf
├─3206 /usr/lib/xorg/Xorg :20 -auth /home/az/.Xauthority -nolisten tcp -noreset -logfile /dev/null -verbose 3 -configdir /tmp/chrome_remo>
├─3265 /opt/google/chrome-remote-desktop/chrome-remote-desktop-host --type=xsession_chooser
└─3267 /opt/google/chrome-remote-desktop/chrome-remote-desktop-host --host-config=- --audio-pipe-name=/run/user/1000/crd_audio#_soK6AZs6k>
Maybe the chrome-remote-desktop installation that I did some time ago is messing this up somehow?
Maybe related: