Bug 360176 - [Openconnect] openconnect fails with "Necessary secrets were not provided"
Summary: [Openconnect] openconnect fails with "Necessary secrets were not provided"
Status: RESOLVED INTENTIONAL
Alias: None
Product: plasma-nm
Classification: Plasma
Component: applet (show other bugs)
Version: 5.5.5
Platform: Gentoo Packages Linux
: NOR normal
Target Milestone: ---
Assignee: Jan Grulich
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-06 22:48 UTC by Herb Miller
Modified: 2016-10-10 11:40 UTC (History)
8 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Networkmanager messages from /var/log/messages (8.92 KB, text/plain)
2016-03-07 16:55 UTC, muddle
Details
nmcli connection show (2.43 KB, text/plain)
2016-03-07 16:56 UTC, muddle
Details
nm log (21.49 KB, text/plain)
2016-03-07 16:59 UTC, muddle
Details
kded5 restart log (18.58 KB, text/plain)
2016-03-07 17:52 UTC, muddle
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Herb Miller 2016-03-06 22:48:08 UTC
I've been having this problem since 5.3.x. In my logs there's an error showing:

Mar  6 17:40:30 Binge NetworkManager[2447]: <error> [1457304030.649898] [/mnt/gentoo/var/tmp/portage/net-misc/networkmanager-1.0.10-r1/work/NetworkManager-1.0.10/src/vpn-manager/nm-vpn-connection.c:1918] plugin_need_secrets_cb(): ([edited out]) final secrets request failed to provide sufficient secrets
Comment 1 muddle 2016-03-07 12:11:27 UTC
Hi, 

I have exactly the same issue using plasma-nm 5.5.5 on Gentoo.
VPN connection works from command line with nmcli with --ask option. The vpn secrets dialog does not save username and password in kwallet even when the according option is set.
Comment 2 Jan Grulich 2016-03-07 12:41:37 UTC
Information from [1] would be helpful to identify your problem.

[1] - https://techbase.kde.org/Projects/Solid/Plasma-nm#Plasma-nm_doesn.27t_remember_my_password
Comment 3 muddle 2016-03-07 13:02:27 UTC
$> if `qdbus org.kde.kded5 /kded org.kde.kded5.loadedModules | grep networkmanagement > /dev/null`; then echo "running"; else echo "not running"; fi
running
Comment 4 Jan Grulich 2016-03-07 13:40:57 UTC
I need all the information (including NM log and also the debug output from kded as described in the link above).
Comment 5 muddle 2016-03-07 16:55:31 UTC
Created attachment 97743 [details]
Networkmanager messages from /var/log/messages

Sorry for the delay.

I'm using openrc instead of systemd so there is no journalctl. I copied the relevant messages from /var/log/messages instead.

For creating the debug information in /var/log/messages I first connected to the vpn by nmcli. After closing the connection, I tried again with plasma-nm.
Comment 6 muddle 2016-03-07 16:56:29 UTC
Created attachment 97744 [details]
nmcli connection show
Comment 7 muddle 2016-03-07 16:59:02 UTC
Created attachment 97745 [details]
nm log

I found out the if I kill/restart the kded5 service, plasma-nm is able to create the connection.
Comment 8 muddle 2016-03-07 17:52:44 UTC
Created attachment 97747 [details]
kded5 restart log

plasma-nm worked after this kded5 restart. (attachment 97745 [details] was is the log of a plasmashell restart)
Comment 9 Jan Grulich 2016-03-09 11:30:24 UTC
Hmm, that's interesting. Do other connections work with our kded5 module without restarting (e.g. wireless connections)?
Comment 10 muddle 2016-03-09 16:41:53 UTC
My wifi connections work as expected. The passwords are fetched from my kwallet.
If no kwallet is open, openconnect (or plasma-nm) initiates the kwallet password dialog, but does not read from/write to it.
Comment 11 muddle 2016-03-09 23:38:55 UTC
Some more (hopefully useful) information:
I deleted all vpn connections and recreated a new openconnect vpn in connection editor. Then I tried to connect (without success). After these steps, a config file was created (/etc/Networkmanager/system-connections/myvpn).

sudo cat /etc/Networkmanager/system-connections/myvpn:
[connection]
id=myvpn
uuid=3311d08e-e879-480e-b9aa-2a77ba88b227
type=vpn
permissions=user:my-user:;
secondaries=

[vpn]
lasthost-flags=0
xmlconfig-flags=0
pem_passphrase_fsid=no
gwcert-flags=2
gateway-flags=2
autoconnect-flags=0
enable_csd_trojan=no
certsigs-flags=0
cookie-flags=2
gateway=my-gateway
service-type=org.freedesktop.NetworkManager.openconnect

[ipv4]
dns-search=
method=auto

[ipv6]
dns-search=
method=auto
** end of config file **

After I restarted kded5 and established a vpn-connection a section "[vpn-secrets]" was added to the config file:
[vpn-secrets]
form:main:username=my-user
form:main:group_list=my-list
lasthost=my-gateway
autoconnect=no
save_passwords=no


If I try to reconnect now, the vpn secrets dialog correctly suggests my username (the password field is still empty as I did not select "save password"). The vpn connection is created successfully.

After a logout/login cycle, the vpn connection again aborts with the above error. The username is NOT suggested in the vpn secrets dialog (the username is still saved in the config file).
Comment 12 muddle 2016-03-22 21:34:32 UTC
Hi,

today I updated to kde-frameworks-5.20 and kde-plasma-5.6. (networkmanager is still 1.0.10-r1)
Unfortunately this did not solve the issue.
Comment 13 Jan Grulich 2016-04-05 08:33:52 UTC

*** This bug has been marked as a duplicate of bug 356587 ***
Comment 14 muddle 2016-04-28 08:31:00 UTC
Hi,
I'm now using:
kde-plasma-5.6.3
kde-frameworks-5.21
network-manager-1.0.12-r1

With this combination, the issue is still not solved. Getting still:
NetworkManager[3485]: <error> [1461831813.021974] [/var/tmp/portage/net-misc/networkmanager-1.0.12-r1/work/NetworkManager-1.0.12/src/vpn-manager/nm-vpn-connection.c:1918] plugin_need_secrets_cb(): (xxxxxx) final secrets request failed to provide sufficient secrets
Comment 15 vadimk 2016-06-15 13:19:38 UTC
Please reopen. It's not a duplicate.
Comment 16 muddle 2016-07-05 03:32:51 UTC
I still have this issue on several machines running kde. Is there some more information I could provide?
Comment 17 Aleksei 2016-10-04 10:39:53 UTC
Hi,

I added the following polkit rule as a workaround that helps me:

cat /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.network-control.rules 
// Let users in plugdev group control NetworkManager
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.NetworkManager.network-control" &&
        subject.isInGroup("plugdev")) {
        return "yes";
    }
});
Comment 18 Aleksei 2016-10-04 10:46:05 UTC
sorry, my bad

the correct contents follow:

cat /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.network-control.rules 
// Let users in plugdev group control NetworkManager
polkit.addRule(function(action, subject) {
    if (subject.isInGroup("plugdev")) {
        return "yes";
    }
});

I'm not experienced with polkit, probably adding rules to log like:
polkit.addRule(function(action, subject) {
        polkit.log("action=" + action);
        polkit.log("subject=" + subject);
});

can help with this investigation.
Comment 19 Aleksei 2016-10-04 11:15:40 UTC
Spent a few minutes to get logs. So the following rule activates polkit logging:

// Let users in plugdev group control NetworkManager
polkit.addRule(function(action, subject) {
    if (subject.isInGroup("plugdev")) {
        polkit.log("action=" + action);
        polkit.log("subject=" + subject);
    }
});

I cannot connect to vpn and see in my syslogs:

Oct  4 11:56:23 dev-host polkitd[2593]: /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.log.rules:4: action=[Action id='org.freedesktop.NetworkManager.network-control']
Oct  4 11:56:23 dev-host polkitd[2593]: /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.log.rules:5: subject=[Subject pid=16321 user='user' groups=user,wheel,uucp,audio,video,usb,users,plugdev,docker seat='' session='' local=true active=false]
Oct  4 11:56:23 dev-host polkitd[2593]: /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.log.rules:4: action=[Action id='org.freedesktop.NetworkManager.settings.modify.system']
Oct  4 11:56:23 dev-host polkitd[2593]: /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.log.rules:5: subject=[Subject pid=16244 user='user' groups=user,wheel,uucp,audio,video,usb,users,plugdev,docker seat='' session='' local=false active=false]
Oct  4 11:56:23 dev-host polkitd[2593]: /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.log.rules:4: action=[Action id='org.freedesktop.NetworkManager.settings.modify.system']
Oct  4 11:56:23 dev-host polkitd[2593]: /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.log.rules:5: subject=[Subject pid=16244 user='user' groups=user,wheel,uucp,audio,video,usb,users,plugdev,docker seat='' session='' local=false active=false]

The contents of default /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.settings.modify.system.rules in my Gentoo 
// Let users in plugdev group modify NetworkManager
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
        subject.isInGroup("plugdev") && subject.active) {
        return "yes";
    }
});

Have you noticed `&& subject.active` at the end of condition? Let's remove it!

cat /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.settings.modify.system.rules 
// Let users in plugdev group modify NetworkManager
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
        subject.isInGroup("plugdev")) {
        return "yes";
    }
});

Finally I see another try to connect is successful! Have no idea how NM interacts with polkit, but hope it somehow helps for further investigation.
Comment 20 Jan Grulich 2016-10-05 10:13:33 UTC
In this case it's a problem system configuration and not in plasma-nm. You need access to modify your connections in NetworkManager in order to activate them.
Comment 21 muddle 2016-10-06 20:51:26 UTC
Thanks, Aleksei!

That point me in the right direction. In my case I had to add an additional rule (see below). I assume that both might be needed, the first one in case you want to store the connections system-wide and the second for user-only connections (but I'm not really sure about that).
With the following rules everything works fine now (thanks to everyone here):

cat /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.settings.modify.system.rules 
// Let users in plugdev group modify NetworkManager
polkit.addRule(function(action, subject) {                                                                   
    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" && subject.isInGroup("plugdev")) {
        return yes";  
 }
if (action.id == "org.freedesktop.NetworkManager.settings.modify.own" && subject.isInGroup("plugdev")) {
        return "yes"; }
});
Comment 22 Aleksei 2016-10-10 11:40:20 UTC
(In reply to muddlehead from comment #21)
> Thanks, Aleksei!
> 
> That point me in the right direction. In my case I had to add an additional
> rule (see below). I assume that both might be needed, the first one in case
> you want to store the connections system-wide and the second for user-only
> connections (but I'm not really sure about that).
> With the following rules everything works fine now (thanks to everyone here):
> 
> cat
> /usr/share/polkit-1/rules.d/01-org.freedesktop.NetworkManager.settings.
> modify.system.rules 
> // Let users in plugdev group modify NetworkManager
> polkit.addRule(function(action, subject) {                                  
> 
>     if (action.id == "org.freedesktop.NetworkManager.settings.modify.system"
> && subject.isInGroup("plugdev")) {
>         return yes";  
>  }
> if (action.id == "org.freedesktop.NetworkManager.settings.modify.own" &&
> subject.isInGroup("plugdev")) {
>         return "yes"; }
> });

FYI, there is another example at a wiki page https://wiki.gentoo.org/wiki/NetworkManager#Fixing_nm-applet_insufficient_privileges