* Getting network-manager-openconnect to work
@ 2020-04-22 12:25 divan
0 siblings, 0 replies; 7+ messages in thread
From: divan @ 2020-04-22 12:25 UTC (permalink / raw)
To: Help guix
Hi Guixers,
There is also a bug report about this query.
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=37369
I'm not having any luck getting network-manager-openconnect to work for
me.
For one, using nm-connection-editor on cli or via exwm program launcher,
and creating a new connection tells me:
Insufficient privileges
Apr 12 21:32:20 swift NetworkManager[385]: <info> [1586719940.8362] audit: op="connection-add" pid=2616 uid=1000 result="fail" reason="Insufficient privileges."
$ id
uid=1000(ds) gid=998(users) groups=998(users),972(docker),975(libvirt),978(adbusers),984(kvm),986(cdrom),989(lp),990(netdev),991(audio),992(video),993(input),999(wheel)
Full system config is pasted below[1].
My groups appear fine. Perhaps some issue with polkit?
polkit is running though.
polkitd 864 1 0 12:33 ? 00:00:00 /gnu/store/mw57n9nj3y20bfm9ijcbpm16gpsik6sg-polkit-0.116/lib/polkit-1/polkitd --no-debug
Not sure if it's the way my desktop is started with exwm.
I am able to up / down connections via "nmcli con up id" and without
sudo.
I know others have sometimes complained about network manager
permissions as a user. It seems it works for some but not others.
Secondly, upping a openconnect network manager connection file which is
known to work on another distro results in this:
$ nmcli con up id my-vpn-2fa --ask
Error: openconnect failed: Could not find "openconnect" binary
A password is required to connect to 'my-vpn-2fa.
Gateway (vpn.secrets.gateway):
I notice that after about a minute the GUI form pops up. I then prompts
me for my 2FA meaning it passed the 1st authentication bit. After I
approve, it then dissapears and seems to disconnect.
Apr 12 21:18:38 swift NetworkManager[360]: <info> [1586719118.6929] agent-manager: req[0x1043510, :1.159/nmcli-connect/1000]: agent registered
Apr 12 21:18:38 swift NetworkManager[360]: <info> [1586719118.6976] audit: op="connection-activate" uuid="40441d34-5290-4631-8796-5fb57d0f1bf2" name="vpn-fnb-2fa" pid=12530 uid=1000 result="success"
Apr 12 21:18:38 swift NetworkManager[360]: <info> [1586719118.7034] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: Started the VPN service, PID 12536
Apr 12 21:18:38 swift NetworkManager[360]: <info> [1586719118.7117] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: Saw the service appear; activating connection
Apr 12 21:20:33 swift NetworkManager[360]: <info> [1586719233.2173] settings-connection[0xecac80,40441d34-5290-4631-8796-5fb57d0f1bf2]: write: successfully committed (keyfile: update /etc/NetworkManager/system-connections/vpn-fnb-2fa (40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa"))
Apr 12 21:20:33 swift NetworkManager[360]: <error> [1586719233.2192] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: final secrets request failed to provide sufficient secrets
Apr 12 21:20:33 swift NetworkManager[360]: <info> [1586719233.2234] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: VPN plugin: state changed: stopped (6)
Creating a new connecting via sudo and the starting it results in the
same.
Any idea?
[1]: (trimmed slightly)
--8<---------------cut here---------------start------------->8---
(use-modules
(gnu)
(gnu packages admin)
(gnu packages android) ;for android-udev-rules
(gnu packages certs)
(gnu packages cups)
(gnu packages gnome)
(gnu packages gnupg)
(gnu packages haskell-apps)
(gnu packages linux)
(gnu packages shells)
(gnu packages suckless)
(gnu packages virtualization)
(gnu packages wm)
(gnu packages xorg)
(gnu services avahi)
(gnu services cups)
(gnu services desktop)
(gnu services dns)
(gnu services docker)
(gnu services monitoring)
(gnu services networking)
(gnu services pm)
(gnu services shepherd)
(gnu services sound)
(gnu services ssh)
(gnu services sysctl)
(gnu services virtualization)
(gnu services xorg)
(gnu system nss)
(gnu system shadow) ;for user-group
(guix build-system trivial)
(guix download) ;for url-fetch
(guix git-download)
(guix packages) ;for origin
(nongnu packages linux)
(srfi srfi-1) ;for 'remove'
)
(define %extra-linux-modules
'("fuse" ; for sshfs
"nbd" ; to mount qcow2 images
))
(operating-system
(host-name "swift")
(timezone "Africa/Johannesburg")
(locale "en_US.utf8")
(locale-libcs (list glibc-2.28 (canonical-package glibc)))
(hosts-file (local-file "/home/ds/src/ds-config/.config/guix/etc/hosts"))
(sudoers-file (local-file "/home/ds/src/ds-config/.config/guix/etc/sudoers"))
(kernel-arguments
(list
(string-append "resume_offset=106602496")
(string-append "modprobe.blacklist=" "pcspkr,snd_pcsp")
(string-append "net.ifnames=0")
(string-append "kvm_intel.nested=1")))
(kernel linux-4.19)
(firmware (cons* linux-firmware %base-firmware))
(initrd (lambda (fs . args)
(apply base-initrd fs
#:extra-modules %extra-linux-modules
args)))
(bootloader (bootloader-configuration
(bootloader grub-efi-bootloader)
(target "/boot/efi")
))
(mapped-devices (list (mapped-device
(source (uuid "3e7beb3b-1037-4ee8-9048-5e048afafbd0"))
(target "crypt")
(type luks-device-mapping))))
(file-systems (cons* (file-system
(device "/dev/nvme0n1p1")
(type "msdos")
(mount-point "/boot/efi"))
(file-system
(device "/dev/mapper/crypt")
(mount-point "/")
(type "ext4")
(dependencies mapped-devices))
%base-file-systems))
(swap-devices '("/mnt/swapfile"))
(users (cons (user-account
(name "ds")
(comment "Divan Santana")
(group "users")
(supplementary-groups
'("adbusers" ;for adb
"wheel" "kvm" "audio" "video" "lp"
"docker"
"libvirt"
"input"
;; "lpadmin"
"cdrom" "netdev"))
(home-directory "/home/ds"))
%base-user-accounts))
(groups (cons (user-group (system? #t) (name "adbusers"))
%base-groups))
(packages
(append (map specification->package
'(
"bash-completion"
"binutils"
"bridge-utils"
"dmidecode"
"dnsmasq"
"docker"
"docker-cli"
"docker-compose"
"dosfstools"
"dtach"
"ethtool"
"font-adobe-source-code-pro"
"font-adobe-source-sans-pro"
"font-adobe-source-serif-pro"
"font-adobe100dpi"
"font-adobe75dpi"
"font-awesome"
"font-bitstream-vera"
"font-dejavu"
"font-fantasque-sans"
"font-fira-code"
"font-fira-mono"
"font-fira-sans"
"font-gnu-freefont-ttf"
"font-google-roboto"
"font-hack"
"font-inconsolata"
"font-iosevka"
"font-liberation"
"font-misc-misc"
"font-tamzen"
"font-ubuntu"
;; "font-symbola" ;; missing
"git"
;; "arc-theme" ;; fixme, should be in core only
"gnome-themes-standard" ;; fixme, should be in core only
"iptables"
"light"
"lsof"
"mlocate"
"mobile-broadband-provider-info"
"modem-manager"
"neovim"
"netcat"
"network-manager-applet"
"network-manager-openconnect"
"network-manager-vpnc"
"net-tools"
"nss" ;; FIXME: is not providing certutil
"nss-certs"
"ntfs-3g"
"openconnect"
"openssh"
"parted"
"qemu"
"rsync"
"setxkbmap"
"slock"
"usb-modeswitch"
"usb-modeswitch-data"
"udiskie"
"xcape"
"xdotool" ;; simulate keyboard/mouse presses
"xev"
"xf86-input-libinput"
"xf86-input-synaptics"
"xf86-input-wacom"
"xf86-video-fbdev"
"xinit"
"xmodmap"
"xorg-server"
"xrandr"
"xrdb"
"xsel"
"xset"
"kmonad"
"xss-lock"
"xterm"
"xf86-video-intel"
))
%base-packages))
(setuid-programs (cons (file-append qemu "/libexec/qemu-bridge-helper")
%setuid-programs))
(services (cons*
(service openssh-service-type
(openssh-configuration
(port-number 8444)
(permit-root-login 'without-password)
))
(service tor-service-type)
(simple-service 'store-my-config
etc-service-type
`(("config.scm"
,(local-file (assoc-ref
(current-source-location)
'filename)))))
(service cups-service-type
(cups-configuration
(web-interface? #t)
(extensions
(list cups-filters hplip))))
(screen-locker-service slock "slock")
(service tlp-service-type
(tlp-configuration
;; TODO: enable autosuspend and blacklist certian
;; usb devices.
(usb-autosuspend? #f)))
(service thermald-service-type)
(service gpm-service-type)
(service docker-service-type)
(service libvirt-service-type
(libvirt-configuration
(unix-sock-group "libvirt")))
(service virtlog-service-type)
(service sysctl-service-type
(sysctl-configuration
(settings '(
("net.ipv4.ip_forward" . "1")
("vm.swappiness" . "05")
))))
(extra-special-file "/usr/bin/env"
(file-append coreutils "/bin/env"))
firewall-service
(service prometheus-node-exporter-service-type
(prometheus-node-exporter-configuration
(web-listen-address ":9100")))
(service slim-service-type
(slim-configuration
(auto-login? #t)
(default-user "ds")
;; (auto-login-session #f)
(xorg-configuration
(xorg-configuration
(drivers '("modesetting"))
))
))
(remove (lambda (service)
(eq? (service-kind service) avahi-service-type))
(remove (lambda (service)
(eq? (service-kind service) gdm-service-type))
(modify-services %desktop-services
(network-manager-service-type
config => (network-manager-configuration
(inherit config)
(dns "dnsmasq")
(vpn-plugins (list network-manager-openconnect))
))
(udev-service-type
config => (udev-configuration
(inherit config)
(rules (append (udev-configuration-rules config)
(list %backlight-udev-rule android-udev-rules kmonad)))))
(login-service-type
config => (login-configuration
(inherit config)
(motd %motd)))))))))
--8<---------------cut here---------------end--------------->8---
^ permalink raw reply [flat|nested] 7+ messages in thread
* Getting network-manager-openconnect to work
@ 2019-09-10 9:57 Divan Santana
2019-09-10 11:21 ` pelzflorian (Florian Pelz)
0 siblings, 1 reply; 7+ messages in thread
From: Divan Santana @ 2019-09-10 9:57 UTC (permalink / raw)
To: Help guix
Hi Guix,
I'm glad openconnect and network-manager-openconnect are now in Guix!
It would be nice to get it to work via network-manager, though I suppose
it's not essential.
Using openconnect directly works for me.
$ sudo openconnect vpn.somewhere.com
Trying to get it work via network-manager gives an error like so:
$ sudo nmcli con up vpn-fnb --ask
Error: openconnect failed: Could not find "openconnect" binary
A password is required to connect to 'vpn-fnb'.
Gateway (vpn.secrets.gateway):
Even though my services configuration has this vpn-plugins set.
(modify-services %desktop-services
(network-manager-service-type
config => (network-manager-configuration
(inherit config)
(dns "dnsmasq")
(vpn-plugins (list network-manager-openconnect))
))
Anyone else seen this?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Getting network-manager-openconnect to work
2019-09-10 9:57 Divan Santana
@ 2019-09-10 11:21 ` pelzflorian (Florian Pelz)
2019-09-11 20:46 ` Ludovic Courtès
0 siblings, 1 reply; 7+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-09-10 11:21 UTC (permalink / raw)
To: Divan Santana; +Cc: bug-guix, Help guix
[-- Attachment #1: Type: text/plain, Size: 1774 bytes --]
On Tue, Sep 10, 2019 at 11:57:11AM +0200, Divan Santana wrote:
> Hi Guix,
>
> I'm glad openconnect and network-manager-openconnect are now in Guix!
>
> It would be nice to get it to work via network-manager, though I suppose
> it's not essential.
>
> Using openconnect directly works for me.
>
> $ sudo openconnect vpn.somewhere.com
>
> Trying to get it work via network-manager gives an error like so:
>
> $ sudo nmcli con up vpn-fnb --ask
> Error: openconnect failed: Could not find "openconnect" binary
> A password is required to connect to 'vpn-fnb'.
> Gateway (vpn.secrets.gateway):
>
> Even though my services configuration has this vpn-plugins set.
>
> (modify-services %desktop-services
> (network-manager-service-type
> config => (network-manager-configuration
> (inherit config)
> (dns "dnsmasq")
> (vpn-plugins (list network-manager-openconnect))
> ))
>
> Anyone else seen this?
Cc’ing bug-guix@gnu.org
I suspect something like the attached patch would help (and expand the
closure of network-manager to always include openconnect).
To test, follow section “Building from Git” from the manual or Laura’s
video 04-packaging-part-one.webm from
<https://lists.gnu.org/archive/html/guix-devel/2019-07/msg00249.html>,
but after the initial clone command, do
git apply the-attached.patch
Then after make, do
sudo -E ./pre-inst-env guix system reconfigure /etc/config.scm
(or whatever your configuration file is called). I cannot test right
now and have never used openconnect. It is quite possible I made a
mistake.
Regards,
Florian
[-- Attachment #2: 0001-gnu-network-manager-Enable-openconnect-helper.patch --]
[-- Type: text/plain, Size: 1520 bytes --]
From 8de7675a2dc2c1385d312e35136f8fa9eb4f9825 Mon Sep 17 00:00:00 2001
From: Florian Pelz <pelzflorian@pelzflorian.de>
Date: Tue, 10 Sep 2019 12:59:19 +0200
Subject: [PATCH] gnu: network-manager: Enable openconnect helper.
* gnu/packages/gnome.scm (network-manager): Add openconnect input.
Patch source to use it instead of searching /usr/bin.
---
gnu/packages/gnome.scm | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index efe5206e53..a6ea09d8f6 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -5372,6 +5372,13 @@ users.")
(("src/devices/tests/test-lldp") " ")
(("src/tests/test-route-manager-linux") " "))
#t))
+ (add-after 'unpack 'patch-source
+ (lambda* (#:key inputs #:allow-other-keys)
+ (begin
+ (substitute* "clients/common/nm-vpn-helpers.c"
+ (("\\\"/usr/sbin/openconnect\\\"")
+ (string-append openconnect "\"/bin/openconnect\"")))
+ #t)))
(add-after 'unpack 'delete-failing-tests
(lambda _
;; FIXME: These four tests fail for unknown reasons.
@@ -5434,6 +5441,7 @@ users.")
("libsoup" ,libsoup)
("modem-manager" ,modem-manager)
("newt" ,newt) ;for the 'nmtui' console interface
+ ("openconnect" ,openconnect)
("polkit" ,polkit)
("ppp" ,ppp)
("readline" ,readline)
--
2.23.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: Getting network-manager-openconnect to work
2019-09-10 11:21 ` pelzflorian (Florian Pelz)
@ 2019-09-11 20:46 ` Ludovic Courtès
2019-09-12 5:34 ` pelzflorian (Florian Pelz)
0 siblings, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2019-09-11 20:46 UTC (permalink / raw)
To: pelzflorian (Florian Pelz); +Cc: Help guix, Divan Santana, bug-guix
Hi Florian,
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:
> From 8de7675a2dc2c1385d312e35136f8fa9eb4f9825 Mon Sep 17 00:00:00 2001
> From: Florian Pelz <pelzflorian@pelzflorian.de>
> Date: Tue, 10 Sep 2019 12:59:19 +0200
> Subject: [PATCH] gnu: network-manager: Enable openconnect helper.
>
> * gnu/packages/gnome.scm (network-manager): Add openconnect input.
> Patch source to use it instead of searching /usr/bin.
> ---
> gnu/packages/gnome.scm | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
> index efe5206e53..a6ea09d8f6 100644
> --- a/gnu/packages/gnome.scm
> +++ b/gnu/packages/gnome.scm
> @@ -5372,6 +5372,13 @@ users.")
> (("src/devices/tests/test-lldp") " ")
> (("src/tests/test-route-manager-linux") " "))
> #t))
> + (add-after 'unpack 'patch-source
> + (lambda* (#:key inputs #:allow-other-keys)
> + (begin
> + (substitute* "clients/common/nm-vpn-helpers.c"
> + (("\\\"/usr/sbin/openconnect\\\"")
> + (string-append openconnect "\"/bin/openconnect\"")))
> + #t)))
> (add-after 'unpack 'delete-failing-tests
> (lambda _
> ;; FIXME: These four tests fail for unknown reasons.
> @@ -5434,6 +5441,7 @@ users.")
> ("libsoup" ,libsoup)
> ("modem-manager" ,modem-manager)
> ("newt" ,newt) ;for the 'nmtui' console interface
> + ("openconnect" ,openconnect)
Something I don’t get: why does NM itself know about openconnect?
There’s a network-manager-openconnect plugin, so I would expect
everything openconnect to happen there. Do you know why it’s not that
way?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Getting network-manager-openconnect to work
2019-09-11 20:46 ` Ludovic Courtès
@ 2019-09-12 5:34 ` pelzflorian (Florian Pelz)
2019-09-16 15:57 ` Ludovic Courtès
0 siblings, 1 reply; 7+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-09-12 5:34 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Help guix, Divan Santana, bug-guix
On Wed, Sep 11, 2019 at 10:46:56PM +0200, Ludovic Courtès wrote:
> Something I don’t get: why does NM itself know about openconnect?
>
> There’s a network-manager-openconnect plugin, so I would expect
> everything openconnect to happen there. Do you know why it’s not that
> way?
>
> Thanks,
> Ludo’.
I don’t know. The patch addresses (if it works) a function called
nm_vpn_openconnect_authenticate_helper within the code for
NetworkManager clients like nmtui, probably also nm-connection-editor,
that calls openconnect --authenticate.
Perhaps the network manager service could symlink the openconnect
binary to the plugins directory when used and NetworkManager could be
made to look there, but it would be nice to know if the current patch
works.
Regards,
Florian
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Getting network-manager-openconnect to work
2019-09-12 5:34 ` pelzflorian (Florian Pelz)
@ 2019-09-16 15:57 ` Ludovic Courtès
2019-09-16 16:06 ` pelzflorian (Florian Pelz)
0 siblings, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2019-09-16 15:57 UTC (permalink / raw)
To: pelzflorian (Florian Pelz); +Cc: Help guix, Divan Santana, bug-guix
Hi Florian,
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:
> On Wed, Sep 11, 2019 at 10:46:56PM +0200, Ludovic Courtès wrote:
>> Something I don’t get: why does NM itself know about openconnect?
>>
>> There’s a network-manager-openconnect plugin, so I would expect
>> everything openconnect to happen there. Do you know why it’s not that
>> way?
>>
>> Thanks,
>> Ludo’.
>
> I don’t know. The patch addresses (if it works) a function called
> nm_vpn_openconnect_authenticate_helper within the code for
> NetworkManager clients like nmtui, probably also nm-connection-editor,
> that calls openconnect --authenticate.
So I guess we first need someone to tell us whether the patch “works”,
as you wrote, right? :-)
Ludo’.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Getting network-manager-openconnect to work
2019-09-16 15:57 ` Ludovic Courtès
@ 2019-09-16 16:06 ` pelzflorian (Florian Pelz)
0 siblings, 0 replies; 7+ messages in thread
From: pelzflorian (Florian Pelz) @ 2019-09-16 16:06 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Help guix, Divan Santana, bug-guix
[-- Attachment #1: Type: text/plain, Size: 328 bytes --]
On Mon, Sep 16, 2019 at 05:57:51PM +0200, Ludovic Courtès wrote:
> So I guess we first need someone to tell us whether the patch “works”,
> as you wrote, right? :-)
>
> Ludo’.
Currently I have built the attached patch, but NetworkManager
segfaults when connecting, and I try to debug why.
Regards,
Florian
[-- Attachment #2: 0001-gnu-network-manager-Enable-openconnect-helper.patch --]
[-- Type: text/plain, Size: 1571 bytes --]
From 1efadd4619f397429d5fae024b46cd8100870c42 Mon Sep 17 00:00:00 2001
From: Florian Pelz <pelzflorian@pelzflorian.de>
Date: Mon, 16 Sep 2019 15:27:01 +0200
Subject: [PATCH] gnu: network-manager: Enable openconnect helper.
* gnu/packages/gnome.scm (network-manager): Add openconnect input.
Patch source to use it instead of searching /usr/bin.
---
gnu/packages/gnome.scm | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 5dc18b3bb5..a8ba00965d 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -5374,6 +5374,13 @@ users.")
(("src/devices/tests/test-lldp") " ")
(("src/tests/test-route-manager-linux") " "))
#t))
+ (add-after 'unpack 'patch-source
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let ((openconnect (assoc-ref inputs "openconnect")))
+ (substitute* "clients/common/nm-vpn-helpers.c"
+ (("\\\"/usr/sbin/openconnect\\\"")
+ (string-append "\"" openconnect "/sbin/openconnect\"")))
+ #t)))
(add-after 'unpack 'delete-failing-tests
(lambda _
;; FIXME: These four tests fail for unknown reasons.
@@ -5436,6 +5443,7 @@ users.")
("libsoup" ,libsoup)
("modem-manager" ,modem-manager)
("newt" ,newt) ;for the 'nmtui' console interface
+ ("openconnect" ,openconnect)
("polkit" ,polkit)
("ppp" ,ppp)
("readline" ,readline)
--
2.23.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-04-22 12:26 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-22 12:25 Getting network-manager-openconnect to work divan
-- strict thread matches above, loose matches on Subject: below --
2019-09-10 9:57 Divan Santana
2019-09-10 11:21 ` pelzflorian (Florian Pelz)
2019-09-11 20:46 ` Ludovic Courtès
2019-09-12 5:34 ` pelzflorian (Florian Pelz)
2019-09-16 15:57 ` Ludovic Courtès
2019-09-16 16:06 ` pelzflorian (Florian Pelz)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).