Red Hat Bugzilla – Bug 710552
nmcli VPN fails whenever I'm root
Last modified: 2011-06-28 02:33:19 EDT
Description of problem:
The following command fails if and only if I'm root. If I try the same command as user, everything works fine:
# nmcli con up id my-openvpn
Active connection state: unknown
Active connection path: /org/freedesktop/NetworkManager/ActiveConnection/5
state: VPN connecting (need authentication) (2)
Error: Connection activation failed: no valid VPN secrets.
Version-Release number of selected component (if applicable):
How reproducible: always
Steps to Reproduce:
1. login as root in terminal
2. be sure to have set up an openvpn connection in nm-applet
3. start "nmcli con up id my-openvpn"
Actual results: connection doesn't activate
Expected results: able to use openvpn-connection
Additional info: this is a problem, because it prevents me from using this command in a dispatcher script for networkmanager! those dispatcher scripts seem to be started as root or at least they are throwing the same error messages in /var/log/messages.
It might be interesting to hear, that my vpn-secret is in /etc/NetworkManager/system-connections/my-openvpn (unencrypted!). But I also have an entry regarding this vpn-secret in my gnome-keyring.
When typing "nmcli con list id my-openvpn" (as root or user doesn't matter), the field "vpn.secrets" is empty.
So what to do about that?!
There are a few ways to handle secrets. In NetworkManager 0.9, these are configured by means of connections' secret property flags: http://projects.gnome.org/NetworkManager/developers/migrating-to-09/secrets-flags.html
For most connection types, the default handling is that NM stores passwords itself. However, for certain connections, e.g. VPN, the passwords are rather regarded as personal and thus they are stored by default in clients (e.g. keyring).
So, if you have configured my-openvpn connection for a user, but activate that under root, the password in user's keyring is not accessible.
You can set password-flags in [vpn] to 0 and add your password to [vpn-secrets] to let NM manage the password and thus be able to activate the connection by any user:
See also http://markmail.org/message/bamybmq5shyk6eje
Thanks for your comment. It solved my problem with the dispatcher-scripts. Since this is intended behaviour, it seems like it's "NOTABUG". But it could also be WONTFIX or WORKSFORME.