Bug 710552

Summary: nmcli VPN fails whenever I'm root
Product: [Fedora] Fedora Reporter: tuxor <acc-bugz-redhat>
Component: NetworkManagerAssignee: Dan Williams <dcbw>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dcbw, jklimes
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-28 06:33:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description tuxor 2011-06-03 16:53:51 UTC 
Description of problem:
The following command fails if and only if I'm root. If I try the same command as user, everything works fine:

# nmcli con up id my-openvpn
Active connection state: unknown
Active connection path: /org/freedesktop/NetworkManager/ActiveConnection/5
state: VPN connecting (need authentication) (2)
Error: Connection activation failed: no valid VPN secrets.

Version-Release number of selected component (if applicable):


How reproducible: always

Steps to Reproduce:
1. login as root in terminal
2. be sure to have set up an openvpn connection in nm-applet
3. start "nmcli con up id my-openvpn"
  
Actual results: connection doesn't activate


Expected results: able to use openvpn-connection


Additional info: this is a problem, because it prevents me from using this command in a dispatcher script for networkmanager! those dispatcher scripts seem to be started as root or at least they are throwing the same error messages in /var/log/messages.
Comment 1 tuxor 2011-06-03 16:56:05 UTC 
version-release number:

NetworkManager.x86_64                          1:0.8.9997-1.git20110531.fc15
Comment 2 tuxor 2011-06-04 12:17:27 UTC 
It might be interesting to hear, that my vpn-secret is in /etc/NetworkManager/system-connections/my-openvpn (unencrypted!). But I also have an entry regarding this vpn-secret in my gnome-keyring. 

When typing "nmcli con list id my-openvpn" (as root or user doesn't matter), the field "vpn.secrets" is empty.

So what to do about that?!
Comment 3 Jirka Klimes 2011-06-27 10:07:05 UTC 
There are a few ways to handle secrets. In NetworkManager 0.9, these are configured by means of connections' secret property flags: http://projects.gnome.org/NetworkManager/developers/migrating-to-09/secrets-flags.html

For most connection types, the default handling is that NM stores passwords itself. However, for certain connections, e.g. VPN, the passwords are rather regarded as personal and thus they are stored by default in clients (e.g. keyring).

So, if you have configured my-openvpn connection for a user, but activate that under root, the password in user's keyring is not accessible.

You can set password-flags in [vpn] to 0 and add your password to [vpn-secrets] to let NM manage the password and thus be able to activate the connection by any user:

[vpn]
....
password-flags=0

[vpn-secrets]
password=your_password

See also http://markmail.org/message/bamybmq5shyk6eje
Comment 4 tuxor 2011-06-27 19:19:24 UTC 
Thanks for your comment. It solved my problem with the dispatcher-scripts. Since this is intended behaviour, it seems like it's "NOTABUG". But it could also be WONTFIX or WORKSFORME.