Bug 1287210 - Provide compile-time default for AFS Login program
Provide compile-time default for AFS Login program
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kstart (Show other bugs)
rawhide
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Ken Dreyer
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-01 13:47 EST by Shawn K. O'Shea
Modified: 2016-01-07 22:28 EST (History)
2 users (show)

See Also:
Fixed In Version: kstart-4.1-8.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-07 12:53:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Shawn K. O'Shea 2015-12-01 13:47:41 EST
Description of problem:
The k5start/krenew executables in the kstart package have built-in support for obtaining an AFS token using the Kerberos ticket acquired by the program, and a specified AFS login application. Two AFS login apps are supported, the MIT Kerberos-based aklog (comes from OpenAFS project) or the Heimdal Kerberos-based afslog (provided by Heimdal Kerberos itself).

The configure script searches for these two programs, and if missing, sets the default path to the null string, "", in config.h.  There is no readily available package to BuildDepend on to provide either of these programs, so the Koji builds fail to find either and set this null default. At this point, if you request an AFS token with the "-t" option to the program, it will always fail and spit usage (by default). In order to use the functionality then, you must provide the program via the AKLOG environment variable. 
(e.g. in https://kojipkgs.fedoraproject.org/packages/kstart/4.1/7.fc23/data/logs/x86_64/build.log 
checking for aklog... no
checking for afslog... no  )

The goal of this bug is to request that a compile-time default of /usr/bin/aklog be provided as part of the configure call (add to configure options: --with-aklog=/usr/bin/aklog ). This will provide a "sane" default, and the AKLOG environment variable still provides a method to override this default. The command is only invoked when you request AFS token issuance (-t option) and will error with a "No such file or directory" of /usr/bin/aklog is not installed.

Version-Release number of selected component (if applicable):
Applies to all current releases of the kstart package in Fedora and Fedora EPEL (most recent in rawhide being 4.1-7.fc23).

How reproducible:
Always

Steps to Reproduce:
1. Install kstart package ( dnf install -y kstart / yum install -y kstart )
2. Try to run k5start with -t option: k5start -t
3. Receive error stating to specify aklog program with AKLOG variable.

Actual results:
bash-4.2$ k5start -t
Kerberos initialization for XXXUSERXXX@XXXREALMXXX
k5start: set AKLOG to specify the path to aklog
bash-4.2$ AKLOG=/usr/bin/aklog k5start -t
Kerberos initialization for XXXUSERXXX@XXXREALMXXX
Password for XXXUSERXXX@XXXREALMXXX: 

If the specified program (whether compiled in by default or specified by the AKLOG env) does not exist, k5start returns an error:
bash-4.2$ AKLOG=/bin/XXXXX k5start -t
Kerberos initialization for XXXUSERXXX@XXXREALMXXX
Password for XXXUSERXXX@XXXREALMXXX: 
sh: /bin/XXXXX: No such file or directory


Expected results:
After authenticating to the realm, "k5start -t" should return with exit status 0 (you need to use a keytab file to execute commands in the Kerberos/AFS authenticated environment created and this example reproduction steps are simply prompting for Kerberos authentication only and then exiting)
Example from Ubuntu 14.04 LTS
$ k5start -t 
Kerberos initialization for XXXUSERXXX@XXXREALMXXX
Password for XXXUSERXXX@XXXREALMXXX: 
$ echo $?
0


Additional info:
I consider this a "user expectation" bug, but I can also understand an argument for this as a "request for enhancement". By "user expectation", I mostly mean that if I request (with the -t option) to run a program to get an AFS token, that I would expect a reasonable default to be attempted, not be told that "you can't do that without explicitly setting an environment variable." Fedora and other RedHat-ish distros ship with MIT Kerberos, so it seems reasonable (to me at least) to provide the MIT-Kerberized aklog as the compile-time default, which can always be overridden with the AKLOG environment variable (due to alternate path for aklog, use of afslog, or of some other program).

By way of comparison, Debian, Ubuntu and OpenSuSE all provide this configure option by default (all without requiring or build-requiring an AFS package). See Debian source [1], Ubuntu source [2] and openSuSE source [3].


[1] https://sources.debian.net/src/kstart/4.1-3/debian/rules/
[2] http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/wily/kstart/wily/view/head:/debian/rules
]3] https://build.opensuse.org/package/view_file/network/kstart/kstart.spec?expand=1
Comment 1 Ken Dreyer 2015-12-01 14:30:55 EST
Let's use --with-aklog, as we already do in Fedora's pam_afs_session.
Comment 3 Fedora Update System 2015-12-01 14:46:16 EST
kstart-4.1-8.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-0bc1161afd
Comment 4 Fedora Update System 2015-12-01 14:46:39 EST
kstart-4.1-8.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-c2ab57aefd
Comment 5 Fedora Update System 2015-12-01 14:47:02 EST
kstart-4.1-8.el5 has been submitted as an update to Fedora EPEL 5. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8f7b599498
Comment 6 Fedora Update System 2015-12-01 14:48:23 EST
kstart-4.1-8.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-a80c662c18
Comment 7 Fedora Update System 2015-12-01 14:48:44 EST
kstart-4.1-8.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8799e3640
Comment 8 Fedora Update System 2015-12-02 21:16:09 EST
kstart-4.1-8.el5 has been pushed to the Fedora EPEL 5 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update kstart'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8f7b599498
Comment 9 Fedora Update System 2015-12-02 23:20:45 EST
kstart-4.1-8.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update kstart'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-0bc1161afd
Comment 10 Fedora Update System 2015-12-03 11:02:37 EST
kstart-4.1-8.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update kstart'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-a80c662c18
Comment 11 Fedora Update System 2015-12-03 12:19:31 EST
kstart-4.1-8.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update kstart'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-c2ab57aefd
Comment 12 Fedora Update System 2015-12-03 20:38:01 EST
kstart-4.1-8.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update kstart'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-c8799e3640
Comment 13 Fedora Update System 2016-01-07 12:53:21 EST
kstart-4.1-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2016-01-07 14:28:23 EST
kstart-4.1-8.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2016-01-07 14:57:01 EST
kstart-4.1-8.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2016-01-07 14:57:08 EST
kstart-4.1-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2016-01-07 22:28:49 EST
kstart-4.1-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.