710552 – nmcli VPN fails whenever I'm root

Bug 710552 - nmcli VPN fails whenever I'm root

Summary: nmcli VPN fails whenever I'm root

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	NetworkManager
Sub Component:
Version:	15
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Dan Williams
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-06-03 16:53 UTC by tuxor
Modified:	2011-06-28 06:33 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-06-28 06:33:19 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description tuxor 2011-06-03 16:53:51 UTC

Description of problem:
The following command fails if and only if I'm root. If I try the same command as user, everything works fine:

# nmcli con up id my-openvpn
Active connection state: unknown
Active connection path: /org/freedesktop/NetworkManager/ActiveConnection/5
state: VPN connecting (need authentication) (2)
Error: Connection activation failed: no valid VPN secrets.

Version-Release number of selected component (if applicable):


How reproducible: always

Steps to Reproduce:
1. login as root in terminal
2. be sure to have set up an openvpn connection in nm-applet
3. start "nmcli con up id my-openvpn"
  
Actual results: connection doesn't activate


Expected results: able to use openvpn-connection


Additional info: this is a problem, because it prevents me from using this command in a dispatcher script for networkmanager! those dispatcher scripts seem to be started as root or at least they are throwing the same error messages in /var/log/messages.

Comment 1 tuxor 2011-06-03 16:56:05 UTC

version-release number:

NetworkManager.x86_64                          1:0.8.9997-1.git20110531.fc15

Comment 2 tuxor 2011-06-04 12:17:27 UTC

It might be interesting to hear, that my vpn-secret is in /etc/NetworkManager/system-connections/my-openvpn (unencrypted!). But I also have an entry regarding this vpn-secret in my gnome-keyring. 

When typing "nmcli con list id my-openvpn" (as root or user doesn't matter), the field "vpn.secrets" is empty.

So what to do about that?!

Comment 3 Jirka Klimes 2011-06-27 10:07:05 UTC

There are a few ways to handle secrets. In NetworkManager 0.9, these are configured by means of connections' secret property flags: http://projects.gnome.org/NetworkManager/developers/migrating-to-09/secrets-flags.html

For most connection types, the default handling is that NM stores passwords itself. However, for certain connections, e.g. VPN, the passwords are rather regarded as personal and thus they are stored by default in clients (e.g. keyring).

So, if you have configured my-openvpn connection for a user, but activate that under root, the password in user's keyring is not accessible.

You can set password-flags in [vpn] to 0 and add your password to [vpn-secrets] to let NM manage the password and thus be able to activate the connection by any user:

[vpn]
....
password-flags=0

[vpn-secrets]
password=your_password

See also http://markmail.org/message/bamybmq5shyk6eje

Comment 4 tuxor 2011-06-27 19:19:24 UTC

Thanks for your comment. It solved my problem with the dispatcher-scripts. Since this is intended behaviour, it seems like it's "NOTABUG". But it could also be WONTFIX or WORKSFORME.

Note You need to log in before you can comment on or make changes to this bug.