You are not logged in.

#1 2019-05-27 09:07:43

wehlutyk
Member
From: Lyon, France
Registered: 2019-05-27
Posts: 4
Website

[SOLVED] NetworkManager doesn't find keyring secrets without nm-applet

Dear all, first of all thanks for the amazing system, wiki, and forums! Been using Arch for a few years and it's been a blast being able to understand what is going on in my system.

My situation

  • I have Sway (and Gnome shell) installed, I log in to Sway using GDM

  • gnome-keyring is running after logging in to Sway (I didn't configure that), and my login keyring is successfully unlocked by GDM on login, as I can read the secrets in seahorse. Here is "journalctl -fe" while opening seahorse:

    May 27 10:42:54 keon systemd[552]: Started GnuPG cryptographic agent and passphrase cache.
    May 27 10:42:54 keon gpg-agent[2437]: gpg-agent (GnuPG) 2.2.15 starting in supervised mode.
    May 27 10:42:54 keon gpg-agent[2437]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
    May 27 10:42:54 keon gpg-agent[2437]: using fd 4 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser)
    May 27 10:42:54 keon gpg-agent[2437]: using fd 5 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra)
    May 27 10:42:54 keon gpg-agent[2437]: using fd 6 for std socket (/run/user/1000/gnupg/S.gpg-agent)
    May 27 10:42:54 keon gpg-agent[2437]: listening on: std=6 extra=5 browser=4 ssh=3
  • NetworkManager is running after logging in to Sway (I didn't configure that), and I can connect to any wifi whose password is in /etc/NetworkManager/system-connections/

My problem

I want to connect to a WPA2 Enterprise Wifi network (eduroam, PEAP/MSCHAPv2), and the password is stored in Gnome Keyring (login keyring).

  • Gnome Shell connects automatically to this network after login

  • If I log in to Gnome, then log out, then log in to Sway, NetworkManager has connected me to eduroam (and has done so since I logged in to Gnome, as I can see it still connected on the GDM login screen).

  • However if I log in to Sway straight after booting, NetworkManager doesn't find the password ("no secrets: No agents were available for this request.", see logs below). Here is "journalctl -fe" while running "nmcli device wifi connect eduroam" (which answers back "Error: Connection activation failed: (7) Secrets were required, but not provided."):

    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.1872] device (wlp58s0): Activation: starting connection 'eduroam' (d48098a9-ce7b-421c-904e-abc14476068e)
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.1874] audit: op="connection-activate" uuid="d48098a9-ce7b-421c-904e-abc14476068e" name="eduroam" pid=2699 uid=1000 result="success"
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.1875] device (wlp58s0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
    May 27 10:43:32 keon audit[443]: USYS_CONFIG pid=443 uid=0 auid=4294967295 ses=4294967295 msg='op=connection-activate uuid=d48098a9-ce7b-421c-904e-abc14476068e name="eduroam" pid=2699 uid=1000 result=success exe="/usr/bin/NetworkManager" hostname=? addr=? terminal=? res=success'
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.1910] device (wlp58s0): set-hw-addr: reset MAC address to 9C:B6:D0:F2:7D:2F (preserve)
    May 27 10:43:32 keon kernel: audit: type=1111 audit(1558946612.182:56): pid=443 uid=0 auid=4294967295 ses=4294967295 msg='op=connection-activate uuid=d48098a9-ce7b-421c-904e-abc14476068e name="eduroam" pid=2699 uid=1000 result=success exe="/usr/bin/NetworkManager" hostname=? addr=? terminal=? res=success'
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.2020] device (wlp58s0): supplicant interface state: inactive -> disabled
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.2020] device (p2p-dev-wlp58s0): supplicant management interface state: inactive -> disabled
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.2021] device (wlp58s0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.2023] device (wlp58s0): Activation: (wifi) access point 'eduroam' has security, but secrets are required.
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.2023] device (wlp58s0): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
    May 27 10:43:32 keon NetworkManager[443]: <warn>  [1558946612.2036] device (wlp58s0): no secrets: No agents were available for this request.
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.2036] device (wlp58s0): state change: need-auth -> failed (reason 'no-secrets', sys-iface-state: 'managed')
    May 27 10:43:32 keon NetworkManager[443]: <warn>  [1558946612.2040] device (wlp58s0): Activation: failed for connection 'eduroam'
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.2042] device (wlp58s0): state change: failed -> disconnected (reason 'none', sys-iface-state: 'managed')
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.2052] device (wlp58s0): set-hw-addr: set MAC address to 9E:C7:6B:27:E5:26 (scanning)
    May 27 10:43:32 keon kernel: IPv6: ADDRCONF(NETDEV_UP): wlp58s0: link is not ready
    May 27 10:43:32 keon kernel: IPv6: ADDRCONF(NETDEV_UP): wlp58s0: link is not ready
    May 27 10:43:32 keon kernel: IPv6: ADDRCONF(NETDEV_UP): wlp58s0: link is not ready
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.4191] device (wlp58s0): supplicant interface state: disabled -> inactive
    May 27 10:43:32 keon NetworkManager[443]: <info>  [1558946612.4197] device (p2p-dev-wlp58s0): supplicant management interface state: disabled -> inactive
    May 27 10:43:32 keon wpa_supplicant[519]: wlp58s0: Reject scan trigger since one is already pending
  • But (still logging in to Sway straight after booting), if I start nm-applet on the command line (which gives no cli output and shows no tray icon), NetworkManager suddenly connects to eduroam. Again "journalctl -fe" while running "nm-applet":

    May 27 10:43:52 keon NetworkManager[443]: <info>  [1558946632.9686] agent-manager: req[0x5626271add40, :1.330/org.freedesktop.nm-applet/1000]: agent registered
    May 27 10:43:52 keon NetworkManager[443]: <info>  [1558946632.9688] policy: auto-activating connection 'eduroam' (d48098a9-ce7b-421c-904e-abc14476068e)
    May 27 10:43:52 keon NetworkManager[443]: <info>  [1558946632.9696] device (wlp58s0): Activation: starting connection 'eduroam' (d48098a9-ce7b-421c-904e-abc14476068e)
    May 27 10:43:52 keon NetworkManager[443]: <info>  [1558946632.9697] device (wlp58s0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
    May 27 10:43:52 keon NetworkManager[443]: <info>  [1558946632.9737] device (wlp58s0): set-hw-addr: reset MAC address to 9C:B6:D0:F2:7D:2F (preserve)
    May 27 10:43:52 keon NetworkManager[443]: <info>  [1558946632.9825] device (wlp58s0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
    May 27 10:43:52 keon NetworkManager[443]: <info>  [1558946632.9828] device (wlp58s0): Activation: (wifi) access point 'eduroam' has security, but secrets are required.
    May 27 10:43:52 keon NetworkManager[443]: <info>  [1558946632.9829] device (wlp58s0): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
    May 27 10:43:52 keon kernel: IPv6: ADDRCONF(NETDEV_UP): wlp58s0: link is not ready
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0023] device (wlp58s0): state change: need-auth -> prepare (reason 'none', sys-iface-state: 'managed')
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0026] device (wlp58s0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0028] device (wlp58s0): Activation: (wifi) connection 'eduroam' has security, and secrets exist.  No new secrets needed.
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0029] Config: added 'ssid' value 'eduroam'
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0029] Config: added 'scan_ssid' value '1'
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0029] Config: added 'bgscan' value 'simple:30:-65:300'
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0029] Config: added 'key_mgmt' value 'WPA-EAP WPA-EAP-SHA256'
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0029] Config: added 'password' value '<hidden>'
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0029] Config: added 'eap' value 'PEAP'
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0029] Config: added 'fragment_size' value '1266'
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0029] Config: added 'phase2' value 'auth=MSCHAPV2'
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0029] Config: added 'ca_cert' value '/home/sl/.cat_installer/ca.pem'
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0030] Config: added 'identity' value 'slerique@ens-lyon.fr'
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.0030] Config: added 'proactive_key_caching' value '1'
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.1183] device (wlp58s0): supplicant interface state: inactive -> disconnected
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.1184] device (p2p-dev-wlp58s0): supplicant management interface state: inactive -> disconnected
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.1223] device (wlp58s0): supplicant interface state: disconnected -> inactive
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.1225] device (p2p-dev-wlp58s0): supplicant management interface state: disconnected -> inactive
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.1295] device (wlp58s0): supplicant interface state: inactive -> scanning
    May 27 10:43:53 keon NetworkManager[443]: <info>  [1558946633.1296] device (p2p-dev-wlp58s0): supplicant management interface state: inactive -> scanning
    May 27 10:43:53 keon wpa_supplicant[519]: wlp58s0: CTRL-EVENT-REGDOM-CHANGE init=BEACON_HINT type=UNKNOWN
    May 27 10:43:57 keon wpa_supplicant[519]: wlp58s0: SME: Trying to authenticate with 00:9e:1e:05:db:40 (SSID='eduroam' freq=5660 MHz)
    May 27 10:43:57 keon kernel: wlp58s0: authenticate with 00:9e:1e:05:db:40
    May 27 10:43:58 keon NetworkManager[443]: <info>  [1558946638.0214] device (wlp58s0): supplicant interface state: scanning -> authenticating
    May 27 10:43:58 keon NetworkManager[443]: <info>  [1558946638.0214] device (p2p-dev-wlp58s0): supplicant management interface state: scanning -> authenticating
    May 27 10:43:58 keon wpa_supplicant[519]: wlp58s0: Trying to associate with 00:9e:1e:05:db:40 (SSID='eduroam' freq=5660 MHz)
    May 27 10:43:58 keon kernel: wlp58s0: send auth to 00:9e:1e:05:db:40 (try 1/3)
    May 27 10:43:58 keon kernel: wlp58s0: authenticated

So my question: under Sway, why doesn't NetworkManager find the keyring secrets without using nm-applet? (and how can I diagnose more?)

I have tried

  • Everything (or so I think) listed on the GNOME/Keyring and NetworkManager wiki pages.

  • Searching the Web, and found no similar problem online

  • Searching the forum for "networkmanager + keyring", again to no avil

More info

  • I set SSH_AUTH_SOCK for cli apps in my oh-my-fish config (.config/omf/init.fish):

    if [ -n "$DESKTOP_SESSION" ];
        eval (gnome-keyring-daemon --start | sed 's/\(.*\)=\(.*\)/set -gx \1 \2;/')
    end
  • I set SSH_AUTH_SOCK for all apps in .config/environment.d/envvars.conf:

    SSH_AUTH_SOCK="/run/user/1000/keyring/ssh"
  • My understanding is that anyway this shouldn't matter, as NetworkManager communicates with libsecrets through D-Bus

  • Here is /etc/NetworkManager/system-connections/eduroam:

    [connection]
    id=eduroam
    uuid=d48098a9-ce7b-421c-904e-abc14476068e
    type=wifi
    permissions=
    timestamp=1558728783
    
    [wifi]
    mac-address=9C:B6:D0:F2:7D:2F
    mac-address-blacklist=
    mode=infrastructure
    seen-bssids=<long list of MAC addresses>
    ssid=eduroam
    
    [wifi-security]
    key-mgmt=wpa-eap
    
    [802-1x]
    ca-cert=/home/sl/.cat_installer/ca.pem
    eap=peap;
    identity=<my university email>
    password-flags=1
    phase2-auth=mschapv2
    
    [ipv4]
    dns-search=
    method=auto
    
    [ipv6]
    addr-gen-mode=stable-privacy
    dns-search=
    ip6-privacy=0
    method=auto

Thank you for any help!

Last edited by wehlutyk (2019-05-27 13:10:11)

Offline

#2 2019-05-27 10:50:38

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 23,229

Re: [SOLVED] NetworkManager doesn't find keyring secrets without nm-applet

Welcome to the boards, excellent first post, shows some good research.

wehlutyk wrote:
  • My understanding is that anyway this shouldn't matter, as NetworkManager communicates with libsecrets through D-Bus

nm-applet is what links to libsecret, everything works as supposed to here. I don't think this is simply something you can configure away, apart from setting up as a system-connection

FWIW I'd configure some sway autostart to start up nm-applet so that this relation is established

Last edited by V1del (2019-05-27 10:56:00)

Offline

#3 2019-05-27 10:58:46

wehlutyk
Member
From: Lyon, France
Registered: 2019-05-27
Posts: 4
Website

Re: [SOLVED] NetworkManager doesn't find keyring secrets without nm-applet

Thanks for the quick reply and the kind words smile

Makes sense. So how would I go about connecting in the terminal only (and using the gnome-keyring secret)? nmcli and nmtui don't see the keyring either, and having to start nm-applet seems a bit off if I want to stay terminal-based (say I'm without graphical interface).

Offline

#4 2019-05-27 11:04:22

wehlutyk
Member
From: Lyon, France
Registered: 2019-05-27
Posts: 4
Website

Re: [SOLVED] NetworkManager doesn't find keyring secrets without nm-applet

I forgot to mention that nm-connection-editor also doesn't find the secrets: when I edit the eduroam configuration, the password field is blank (not the case in Gnome) -- meaning I have to reenter it if I want to change something.

Offline

#5 2019-05-27 11:22:39

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 23,229

Re: [SOLVED] NetworkManager doesn't find keyring secrets without nm-applet

nm-applet has to be started, all the other tools do not know about gnome-keyring, or find out what it is that gnome-shell starts up, might be some simple DBUS daemon. I don't use gnome so I can't be of much more help here, FWIW it works the same on KDE, it's kwallet keyring is only directly supported by the KDE provided plasma-nm, which has to be started as well.

Offline

#6 2019-05-27 13:08:50

wehlutyk
Member
From: Lyon, France
Registered: 2019-05-27
Posts: 4
Website

Re: [SOLVED] NetworkManager doesn't find keyring secrets without nm-applet

I see — I hadn't imagined running nm-applet would affect the cli interfaces' ability to read/edit the keyring. I feel this could be worth emphasizing in the NetworkManager wiki page → see Talk:NetworkManager#Explain that encrypting passwords requires nm-applet (or equivalent?) to be running.

Marking as solved then. Thanks again!

Offline

Board footer

Powered by FluxBB