Bug 1287210

Summary:	Provide compile-time default for AFS Login program
Product:	[Fedora] Fedora	Reporter:	Shawn K. O'Shea <shawn>
Component:	kstart	Assignee:	Ken Dreyer <ktdreyer>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	ktdreyer, simon
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	kstart-4.1-8.el5	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-01-07 17:53:26 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Shawn K. O'Shea 2015-12-01 18:47:41 UTC

Description of problem:
The k5start/krenew executables in the kstart package have built-in support for obtaining an AFS token using the Kerberos ticket acquired by the program, and a specified AFS login application. Two AFS login apps are supported, the MIT Kerberos-based aklog (comes from OpenAFS project) or the Heimdal Kerberos-based afslog (provided by Heimdal Kerberos itself).

The configure script searches for these two programs, and if missing, sets the default path to the null string, "", in config.h.  There is no readily available package to BuildDepend on to provide either of these programs, so the Koji builds fail to find either and set this null default. At this point, if you request an AFS token with the "-t" option to the program, it will always fail and spit usage (by default). In order to use the functionality then, you must provide the program via the AKLOG environment variable. 
(e.g. in https://kojipkgs.fedoraproject.org/packages/kstart/4.1/7.fc23/data/logs/x86_64/build.log 
checking for aklog... no
checking for afslog... no  )

The goal of this bug is to request that a compile-time default of /usr/bin/aklog be provided as part of the configure call (add to configure options: --with-aklog=/usr/bin/aklog ). This will provide a "sane" default, and the AKLOG environment variable still provides a method to override this default. The command is only invoked when you request AFS token issuance (-t option) and will error with a "No such file or directory" of /usr/bin/aklog is not installed.

Version-Release number of selected component (if applicable):
Applies to all current releases of the kstart package in Fedora and Fedora EPEL (most recent in rawhide being 4.1-7.fc23).

How reproducible:
Always

Steps to Reproduce:
1. Install kstart package ( dnf install -y kstart / yum install -y kstart )
2. Try to run k5start with -t option: k5start -t
3. Receive error stating to specify aklog program with AKLOG variable.

Actual results:
bash-4.2$ k5start -t
Kerberos initialization for XXXUSERXXX@XXXREALMXXX
k5start: set AKLOG to specify the path to aklog
bash-4.2$ AKLOG=/usr/bin/aklog k5start -t
Kerberos initialization for XXXUSERXXX@XXXREALMXXX
Password for XXXUSERXXX@XXXREALMXXX: 

If the specified program (whether compiled in by default or specified by the AKLOG env) does not exist, k5start returns an error:
bash-4.2$ AKLOG=/bin/XXXXX k5start -t
Kerberos initialization for XXXUSERXXX@XXXREALMXXX
Password for XXXUSERXXX@XXXREALMXXX: 
sh: /bin/XXXXX: No such file or directory


Expected results:
After authenticating to the realm, "k5start -t" should return with exit status 0 (you need to use a keytab file to execute commands in the Kerberos/AFS authenticated environment created and this example reproduction steps are simply prompting for Kerberos authentication only and then exiting)
Example from Ubuntu 14.04 LTS
$ k5start -t 
Kerberos initialization for XXXUSERXXX@XXXREALMXXX
Password for XXXUSERXXX@XXXREALMXXX: 
$ echo $?
0


Additional info:
I consider this a "user expectation" bug, but I can also understand an argument for this as a "request for enhancement". By "user expectation", I mostly mean that if I request (with the -t option) to run a program to get an AFS token, that I would expect a reasonable default to be attempted, not be told that "you can't do that without explicitly setting an environment variable." Fedora and other RedHat-ish distros ship with MIT Kerberos, so it seems reasonable (to me at least) to provide the MIT-Kerberized aklog as the compile-time default, which can always be overridden with the AKLOG environment variable (due to alternate path for aklog, use of afslog, or of some other program).

By way of comparison, Debian, Ubuntu and OpenSuSE all provide this configure option by default (all without requiring or build-requiring an AFS package). See Debian source [1], Ubuntu source [2] and openSuSE source [3].


[1] https://sources.debian.net/src/kstart/4.1-3/debian/rules/
[2] http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/wily/kstart/wily/view/head:/debian/rules
]3] https://build.opensuse.org/package/view_file/network/kstart/kstart.spec?expand=1

Comment 1 Ken Dreyer 2015-12-01 19:30:55 UTC

Let's use --with-aklog, as we already do in Fedora's pam_afs_session.

Comment 2 Ken Dreyer 2015-12-01 19:36:29 UTC

change in dist-git for Rawhide: http://pkgs.fedoraproject.org/cgit/kstart.git/commit/?id=f5d6a14fb1539ed712a416413a2f79a6e30386c7

Comment 3 Fedora Update System 2015-12-01 19:46:16 UTC

kstart-4.1-8.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-0bc1161afd

Comment 4 Fedora Update System 2015-12-01 19:46:39 UTC

kstart-4.1-8.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-c2ab57aefd

Comment 5 Fedora Update System 2015-12-01 19:47:02 UTC

kstart-4.1-8.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8f7b599498

Comment 6 Fedora Update System 2015-12-01 19:48:23 UTC

kstart-4.1-8.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-a80c662c18

Comment 7 Fedora Update System 2015-12-01 19:48:44 UTC

kstart-4.1-8.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8799e3640

Comment 8 Fedora Update System 2015-12-03 02:16:09 UTC

kstart-4.1-8.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update kstart'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8f7b599498

Comment 9 Fedora Update System 2015-12-03 04:20:45 UTC

kstart-4.1-8.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update kstart'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-0bc1161afd

Comment 10 Fedora Update System 2015-12-03 16:02:37 UTC

kstart-4.1-8.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update kstart'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-a80c662c18

Comment 11 Fedora Update System 2015-12-03 17:19:31 UTC

kstart-4.1-8.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update kstart'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-c2ab57aefd

Comment 12 Fedora Update System 2015-12-04 01:38:01 UTC

kstart-4.1-8.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update kstart'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8799e3640

Comment 13 Fedora Update System 2016-01-07 17:53:21 UTC

kstart-4.1-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2016-01-07 19:28:23 UTC

kstart-4.1-8.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2016-01-07 19:57:01 UTC

kstart-4.1-8.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2016-01-07 19:57:08 UTC

kstart-4.1-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2016-01-08 03:28:49 UTC

kstart-4.1-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.