NetworkManager.vpn fails -- nm-vpn-connection.c.900: NeedSecrets

I can confirm this. I'm wondering what the dbus error 'Rejected send message' means, but to me, it seems to be the culprit.

This is affecting me as well on the 9.04rc, with the same settings/symptoms as the original post. While looking up this bug report, I noticed a somewhat similar problem with network-manager-pptp that was resolved by fixing dbus permissions (bug 343270).

Actually, reading off that other bug, I added the at_console permissions to /etc/dbus-1/system.d/nm-vpnc-service.conf and fixed the problem. A patch is attached.

I can confirm the above patch fixes the error. Please note you will need to restart after chaning the conf file.

i assume this is still an issue in latest jaunty? does it help to flag the vpn connection for "Make available to All users"?

On Mon, 20 Apr 2009 21:29:29 +0100, Alexander Sack <email address hidden> wrote:

> i assume this is still an issue in latest jaunty? does it help to flag
> the vpn connection for "Make available to All users"?
>
> ** Changed in: network-manager-vpnc (Ubuntu)
> Status: New => Incomplete
>

Yes - It was still a bug in the latest jaunty (I came across the bug
today), but the patch above fixed it for me.

Not sure about that flag - will test it tomorrow if I remember.

please run

tar czf /tmp/dbus-dir.tgz /etc/dbus-1/system.d/

and attach the dbus-dir.tgz.

also run dpkg-query -W -f'${Conffiles}' network-manager-vpnc and post the output.

thanks.

Alexander,
I am seeing the exact same issue with Jaunty, here is my information.

Output of dpkg-query:
 /etc/dbus-1/system.d/nm-vpnc-service.conf fd1972dab1966261b4cc7aaa274d3e84
 /etc/NetworkManager/VPN/nm-vpnc-service.name da725da28b8e843fa6c32dde7a2b3851

so please run

sudo /usr/lib/network-manager-vpnc/nm-vpnc-service

in one terminal and

sudo dbus-send --print-reply --system --dest=org.freedesktop.NetworkManager.vpnc /org/freedesktop/NetworkManager/VPN/Plugin org.freedesktop.NetworkManager.VPN.Plugin.Disconnect

in another ... does that work?

Doesn't look like it.

Here's what I get after running the dbus-send command:

pck@ubuntu:~$ sudo dbus......
[sudo] password for pck:
method return sender=:1.238 -> dest=:1.240 reply_serial=2
pck@ubuntu:~$

No VPN connect was established.

ok. we need to get more output from dbus.

can you please stop dbus (sudo /etc/init.d/dbus stop) and start it from a command line like:

sudo DBUS_DEBUG_OUTPUT=1 dbus-daemon --nofork 2>&1 | tee /tmp/dbus.log.txt

... then please reproduce and attach the dbus.log.txt.

Thanks!

I've just removed the patch and the vpn connection is still working . Even setting up a new user and new vpn connection is fine, so am unable to do any more tests. I'll upgrade my PC to jaunty tomorrow to see if it has the same issue as my laptop had so I can do some more debugging.

Alexander,
Despite my best efforts to hack away around it, I cannot seem to stop dbus without being logged out of gnome and my system becoming unresponsive. Any suggestions?

you could see if adding a line:

export DBUS_DEBUG_OUTPUT=1

in /etc/default/dbus

enables debug output for you (usually would go to syslog i think). but be careful that could produce really a lot of output, so in case everything slows down or causing other issues, remember to remove that again.

so in case it works, let the system settle and (assuming its syslog where the output goes to) do a

 tail -n0 -f /var/log/syslog > /tmp/dbus.log.txt

right before clicking on the VPN menu entry. hit ctrl-c to abort that "tail" thing right after the bug happened.

Adding export DBUS_DEBUG_OUTPUT=1 to the params section of /etc/default/dbus resulted in the same errors as before, with system unresponsiveness at the login screen. A hard restart is required to reboot, and I had to recovery console into the config file and remove the option to get my system to work. Looking at my logs, it appears that dbus just doesn't start with that option enabled, either way a few services seem to be freaking out because of it (relevant section in syslog attached).

> Adding export DBUS_DEBUG_OUTPUT=1 to the params section of /etc/default/dbus

not sure i understand. did you add that into PARAMS="..."? doing that will probably make dbus not start, yes.

please check if you did you do what i said:

> you could see if adding a line:
> export DBUS_DEBUG_OUTPUT=1
> in /etc/default/dbus

Ahh nope, that was my mistake.
However, I just tried the connection and it worked. Doesn't make any sense, wasn't working even this morning. Maybe an update got it? I didn't pay attention to see if network-manager or network-manager-vpnc was patched. Or maybe it was on my school's end? Either way, my problem is solved.

I'll let you know if the issue reappears.

Thanks for the help.

maybe you never rebooted before?

No, that is always bugfix #1 for me. I did delete the vnc profile I
currently had before I started your debugging procedure. Maybe it was a
problem with carrying it over from intrepid in the upgrade and it was fixed
by recreating in Jaunty?

the vpnc profile fixing this is really really unlikely. you clearly had dbus communication issues, which usually mean your system.d policies are messed up. Did you revert to the default files there? Maybe you still have the at_console hack in it?

I have the same problem and fixedwith Patrick Healy 's method.
Thanks for help!

I had what looks like the same problem with network-manager-openvpn (it looked like the same type of DBUS miscommunication.)

The problem went away after a complete system restart. I made no configuration file changes elsewhere.

I only mention this because many people seem to be reporting that everything starts working without explanation - it could very well be that a configuration file added/tweaked during install isn't being enacted until the next boot.

The patch to nm-vpnc-service.conf above is incorrect, instead of user="at_console" it should be at_console="true"

<policy at_console="true">
 <allow own="org.freedesktop.NetworkManager.vpnc"/>
 <allow send_destination="org.freedesktop.NetworkManager.vpnc"/>
</policy>

This makes vpnc work, but still I set tons of rejected send messages from dbus in /var/log/auth.log

I can confirm the bug and the fix of Patrick Healy does work.

@Stpehen, you must have another issue. please look in your log-files and see what you have.
@Alexander, I normally do not reboot my pc except for kernel-changes. In Windows rebooting might be called a fix, in Linux it remains a bug. So therefore I changed the state to "incomplete".

I can confirm this error as well. I am receiving the same error as the one pasted in the original description in my /var/log/syslog file.

this stays invalid. dbus policy changes only get applied after reboot in ubuntu ... you can manually try to reload dbus config.

Also dont apply the none fix with at_console ... that really makes no sense and opens security issues for you. Dont spread that stuff around please.

also remember that as soon as you touched any file in /etc/ you wont get those files auto updated anymore ... so in future you might end up in more issues if we need to change the dbus rules.

ok. after getting more complains about these issues we debugged this and it turned out to be caused by new consolekit behaviour.

Problem is that root becomes @console if you have a root shell open (like sudo su). So to connect you just need to log out all root shells.

We are working on a solution real solution on this, so stay tuned.

meanwhile running 'sudo vpnc' works without problems, I'm using this while waiting for the elegant solution :)

> meanwhile running 'sudo vpnc' works without problems, I'm using this
> while waiting for the elegant solution

Thats great. but please don't post such things as workaround to network-manager bugs ... while this might sound like a smart idea (and maybe its indeed smart), its not productive (trust me!) and exiting all root shells while you connect does not really ask for much ;).

so back to topic: if you see this issue, could you please confirm that there is a /var/run/console/root file? If so, please verify that exiting all root shells fixes this. Thanks!

I don't have a /var/run/console/root file, there are no root shells running, but I'm still getting this issue.

Chris, did you reboot in between?

Chris, could you please also attach the syslog output you get while trying to connect? I want to check that you are really seeing this issue.

May 7 08:22:08 ubuntu NetworkManager: <info> Starting VPN service 'org.freedesktop.NetworkManager.vpnc'...
May 7 08:22:08 ubuntu NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.vpnc' started (org.freedesktop.NetworkManager.vpnc), PID 8365
May 7 08:22:08 ubuntu NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.vpnc' just appeared, activating connections
May 7 08:22:08 ubuntu NetworkManager: <info> VPN plugin state changed: 1
May 7 08:22:14 ubuntu NetworkManager: <info> VPN plugin state changed: 3
May 7 08:22:14 ubuntu NetworkManager: <info> VPN connection 'For clients behind a NAT devices' (Connect) reply received.
May 7 08:22:14 ubuntu kernel: [288742.257810] tun0: Disabled Privacy Extensions
May 7 08:22:18 ubuntu NetworkManager: <info> VPN plugin failed: 0
May 7 08:22:18 ubuntu NetworkManager: <info> VPN plugin state changed: 6
May 7 08:22:18 ubuntu NetworkManager: <info> VPN plugin state change reason: 10
May 7 08:22:18 ubuntu NetworkManager: <WARN> connection_state_changed(): Could not process the request because no VPN connection was active.
May 7 08:22:18 ubuntu NetworkManager: <info> Policy set 'Auto eth0' (eth0) as default for routing and DNS.

Sorry, I forgot to note that I have rebooted since then - same issue :-)

I'd love to get a VPN connection to my work's network, I am willing to assist further. Tell me what is required and I'll do it, gladly!

I had the same problem and was able to correct it using Patrick Healy's patch.

I'm running up-to-date Ubuntu 9.04 x86_64.

network-manager: 0.7.1~rc4.1.cf199a964-0ubuntu2
network-manager-gnome: 0.7.1~rc4.1-0ubuntu2
network-manager-vpnc: 0.7.1~rc4.20090316+bzr21-0ubuntu

Please let me know if there's any testing, etc... I can do to speed up the release of the "real solution" Alexander mentions above.

In 9.04 I have the same error: NeedSecrets failed: dbus-glib-error....
No root shell is running (var/run/console).
sudo vpnc-connect works at the terminal.
Patrick Healy's user="at_console" policy fixes the problem.

I have had the same issue after installing vpnc and network-manager-vpnc. Tried the fix by Patrick Healy - but it didn't help. Actually a reboot (first one after installing the packages mentioned before) did the trick (reverting the fix by Healy to the original), it even works with a root shell running.

Btw: Ubuntu 9.04
network-manager: 0.7.1~rc4.1.cf199a964-0ubuntu2
network-manager-vpnc: 0.7.1~rc4.20090316+bzr21-0ubuntu
Output of dpkg-query:
 /etc/dbus-1/system.d/nm-vpnc-service.conf fd1972dab1966261b4cc7aaa274d3e84
 /etc/NetworkManager/VPN/nm-vpnc-service.name da725da28b8e843fa6c32dde7a2b3851

Hi,

I have Ubuntu 9.10 x64 with kde3 from ppd and have the same problem:

NetworkManager: nm-vpn-connection.c.828: NeedSecrets failed: dbus-glib-error-quark Invalid connection type.

I use:

ii network-manager-kde-kde3 1:0.8-0ubuntu12 KDE systray applet for controlling NetworkMa
ii network-manager-openvpn 0.8~a~git.20091008t123607.7c184a9-0ubuntu1 network management framework (OpenVPN plugin

This workaround dosn`t work for me.

Can someone help ?

@bnight: KDE4 is installed by default under (K)Ubuntu 9.10.
KDE3 is not anymore supported under (K)Ubuntu 9.10.

Please update to KDE4!
Otherwise please write a new bug report (to distinguish, because it is a another bug)

I know that KDE3 is not anymore supported.

But i don`t want to use KDE4.

What should i do to have this issue fixed i think that this is the same issue as the others but only that the workaround with +password don`t work.

Please told me what should i do to get this working.

It`s not a big issue after all because i connect with openvpn vpn.conf but i want to use NM for this one.

Thanks in advance for the support.

antons workaround was a saver after weeks of furstration

kudos to anton

Why has this fix only been released for vpnc, not openvpn?

well I believe Anton's "fix" is not a fix but a workaround, and yes it works for openvpn

Hi there,

Attached patch work-arounds the problem with OpenVPN.

Looking at the source, I'm puzzled, cos' line 1000 of Karmic Koalas nm-openvpn-service.c does validations of set #1 of parameters, whereas line 1004 does validation of set #2. The problem is that these sets are divergent, so either one doesnt provide any "secret parameters" (hence the "No VPN secrets!" error), or receives an error that such parameter is invalid.

I dont know if my reasoning is correct, I dont know why it worked intermittently - I just wanted my OpenVPN back :-) Please forward my remarks upstream if you find this helpful.

Pawel

Can anyone confirm that this bug has actually been fixed in any version of network-manager-vpnc or in a related package? All I can see is that Ronan F marked this bug as fixed, but I fail to see any mention of the actual fix or version. Version 0.7.997 was released on 2009-12-08, but it doesn't seem to contain any obvious bugfixes related to this issue.

This bug hit me two times on karmic with OpenVPN during the last week and both times I went through the "edit connections" dialogue to select the same user certificate that has already been selected before. No other parameters were changed. After hitting "Apply" I was able to establish VPN connections again.

Could have been pure luck, though, taking into account all the other ways that seem to have helped other people.

looks like pptp plugin is affected too:

Mar 16 11:16:03 valmar NetworkManager: <info> Starting VPN service 'org.freedesktop.NetworkManager.pptp'...
Mar 16 11:16:03 valmar NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.pptp' started (org.freedesktop.NetworkManager.pptp), PID 4556
Mar 16 11:16:03 valmar NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.pptp' just appeared, activating connections
Mar 16 11:16:03 valmar NetworkManager: nm-vpn-connection.c.828: NeedSecrets failed: dbus-glib-error-quark Rejected send message, 1 matched rules; type="method_call", sender=":1.2" (uid=0 pid=1114 comm="NetworkManager) interface="org.freedesktop.NetworkManager.VPN.Plugin" member="NeedSecrets" error name="(unset)" requested_reply=0 destination="org.freedesktop.NetworkManager.pptp" (uid=0 pid=4556 comm="/usr/lib/network-manager-pptp/nm-pptp-service))
Mar 16 11:16:03 valmar NetworkManager: <WARN> connection_state_changed(): Rejected send message, 1 matched rules; type="method_call", sender=":1.2" (uid=0 pid=1114 comm="NetworkManager) interface="org.freedesktop.NetworkManager.VPN.Plugin" member="Disconnect" error name="(unset)" requested_reply=0 destination="org.freedesktop.NetworkManager.pptp" (uid=0 pid=4556 comm="/usr/lib/network-manager-pptp/nm-pptp-service))

After a reboot, vpnc works for me...

HOWEVER, the user/group password is randomly forgotten, even when the GUI option "Saved" is selected. "Ask every time" does not actually ask, ever. The only way to use the VPN connection after the passwords are randomly forgotten is to click "Configure VPN" and type the passwords again and set the dropdown to "Saved."

Retyping the passwords gets old quick, and I've seen this "NoSecrets" issue in Ubuntu for ages (multiple OS installs on different boxes, same problem).

this bug is still there in lucid

Have you rebooted yet?
Hopefully you've made no other changes, but if you've this issue on a fresh install of lucid,
I'd love to see if a single reboot fixes it (I suspect a restart of X/network-manager would).

Sadly, I get the same error - and yes, I've rebooted.

On Sat, May 1, 2010 at 9:59 AM, Niall Brosnan
<email address hidden>wrote:

> Have you rebooted yet?
> Hopefully you've made no other changes, but if you've this issue on a fresh
> install of lucid,
> I'd love to see if a single reboot fixes it (I suspect a restart of
> X/network-manager would).
>
> --
> NetworkManager.vpn fails -- nm-vpn-connection.c.900: NeedSecrets
> https://bugs.launchpad.net/bugs/360818
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Still broken in Lucid. Tested the fix by modifying /etc/dbus-1/system.d/nm-openvpn-service.conf and it works perfectly. This is a 4 line fix that has been tested and works - why has it not been implemented?

I meet here the same problem of failing because no secrets (trying configuring and start directly after installing network-manager-vpnc). I reboot, next i have installed something using sudo apt-get install(and close the terminal after directly, so i don't know if maybe there was a sudo active), and then i tried again starting the vpn and it works fine. I will do more tests with new installations today, so when people have scenarios that must fail, i like to know to test these.

How can i guaranteed that i have a root shell open?

I completely agree with Christiaan D in comment #117. The fix has been released over a year ago. It should have been added to the distro by now. Instead, the bug is still there in Lucid...

I confirm that it works perfectly when adding the "at_console" privileges like described by Patrick Healy in comment #3 (April 2009 !!)

Still nothing happened. Same problem and fixed as in #117.
Even Micro$oft seems faster with fixing bugs compared to this bug. (maybe this comment will spur some action...)

You know, I cannot understand why anyone says that the patch produced in comment #3 works for folks. The syntax is totally wrong - it's at_console="true", not user="at_console".

I looked up what at_console does, and as it turns out at_console was originally created to use RedHat's pam_console... which of course is specific to RedHat. Ubuntu gets around this by using libpam-foreground, and from the following bug report at Debian http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=422349 I believe that there's been a patch done to dbus to get this working.

I guess my next question is: if you aren't using at_console (or pam_console, or pam_forground), then how does ConsoleKit do this?

OK, so I'm trying to work this out.

NeedSecrets - now correct me if I'm wrong here, but from what I've read while doing some research, this is an error that's occuring because network-manager can't get access to the relevant passwords for the VPN connection!

So in my travails into how it seems that NetworkManager does things (someone please pipe in here if I'm wrong), but this is how I understand that it works:

1. You bring up the network manager interface to connect to the VPN
2. nm then looks at gconf at System/Network/Connections/ and looks for the entry that matches the name, uuid and the service plugin name (?? is this right?)
3. It can then prompt for credentials, or it looks at Gnome-keyring.

So therefore, I guess that the following need to be checked:

1. Check what the uuid is for your VPN connection in gconf
2. Now go to Applications -> Accessories -> Passwords and Encryption Keys
3. Find the key for this connection (it should says something like "password for <VPN connection name>"

If you can't find it, then possibly there is something wrong with retrieving the secrets needed for the VPN?

Just a thought. If an nm person could chime in, that would be great :-) Hopefully I'm not misleading anyone! But this bug has been going on for a long time...

Alternatively... is it possible that it can't access the keyring?

Not to toot my own horn, but I pointed out the solution to #3 in #24 and it worked for me. If you try making that change alone does it work?

Anybody who still has this issue in Lucid, could you please open a new bug about it, preferably using the 'ubuntu-bug network-manager' command, so we can get full details of what is going on? Please make sure you add how you got that system to Lucid, that is, whether it was a clean install or an upgrade; and if it was an upgrade, from what other version of Ubuntu.

Chris, you pretty much got it right. The passwords currently saved for VPNs need to be verified. If there are some, you should be able to delete them for NM to ask about them again. Another thing to try could be to create a new user, and create the connection from scratch in that user to see if it can be completed.

As there is no patch attached that can reasonably and provably fix these issues (and given we've had multiple reports of this working properly in and after karmic), I've unsubscribed ubuntu-reviewers for now.

This bug are too in Ubuntu 10.04 Lucid Lynx. This workaround works fine for me:

* Goto System -> Preferences -> Passwords and Encryption Keys.
* You must see the stored password for <Connection Name>/org.freedesktop.NetworkManager.vpnc/vpn.
* Right click -> Properties -> Applications tab.
* Check Permissions -> Read and Write.
* Close -> Close.
* Reboot.

I don't have

* Goto System -> Preferences -> Passwords and Encryption Keys.

My entry is encryption and keyrings, and my connection for VPN is not there. Is there a workaround?

Oh, and I am running 10.04 with latest patches.

Try with
Applications -> Accesories -> Passwords and Encryption Keys
There is a filter at the top to search for 'freedesktop'

I found the keys at Applications -> Accesories -> Passwords and Encryption Key, but there is no freedesktop there.

I did find my VPN connection that does not work -- same error "would not start", after setting the the read write privs.

Hello everybody,

I can confirm that the problem still happens with 11.04, as follows:
- on first installation of network-manager-vpnc I can't connect to the VPN, and I get the error "Failed because there were no valid VPN secrets"
- after reboot it works

Explanation in commend #27 (bus policy changes only get applied after reboot in ubuntu) seems to make sense to me. This problem happened to me since 10.04 at least. network-manager-vpnc package version: 0.8.1+git.20110207t151002.6a2b2d6-0ubuntu2

Hi!

Can confirm the reports of a reboot needed for this to work.

First setup of a VPN connection at all on a 11.04 install (Gnome 2.32.1 Classic)
- Installed the plugin for Cisco VPN: (this should really be better documented in the dialog box in Network Manager
sudo apt-get install network-manager-vpnc
- Imported my .pcf file with the Cisco VPN settings.
- Tried to connect and got the"Failed because there were no valid VPN secrets"
- Rebooted
- Tried to connect - works perfect!

I revisited this. I used Applications --> Accessories --> Passwords and Encryption keys. I see where a connection's read and write properties could be checked. However, my vpn connection is not present in this list. So, when created, it's never getting there. Any ideas on how to get it there by hand configuration?

So, obviously, this is still a bug for me.

Are there any workarounds for this? This is for 10.04 LTS.

Solution for an update-to-date Ubuntu 10.04 is to reboot your machine after installing or importing your vpnc connection.

For adavanced users: Instead of rebooting you can also restart network-manager and the dbus daemon. The upstream author only recommends "killall -HUP dbus-daemon", but i haven't tested that.

This has been covered for a long while now, and since (Oneiric, I think) you should no longer need to restart anything for the connection to be registered. If it still doesn't work, it would be a different bug.

A reboot is only required after *installing* the VPN, it doesn't need to be done for each new connection ;)

Please, if you're still getting this issue regardless of the version of Ubuntu in use, please file a *new*, *separate* bug report to make sure we can cover any possible case affecting you and really make sure *everything* is fixed. I'll close this bug report here as Fix Released since by and large this has already been covered in newer Ubuntu releases (it as the very least definitely works for me on a new install of the current development release).