<div dir="ltr">augeas experts,<div><br></div><div>I am trying to update my /etc/krb5.conf.  I'm testing (for now) with a /tmp/krb5.conf file on RHEL7.</div><div><br></div><div>I have to have it not autoload all files, as there's some syntax in some other files augeas doesn't understand.</div><div><br></div><div>Here is my old krb5.aug file (which works).</div><div><br></div><div>set /augeas/load/Krb5/incl "/tmp/krb5.conf"<br>set /augeas/load/Krb5/lens "Krb5.lns"<br>load<br>defnode realms_AMER_DELL_COM /files/tmp/krb5.conf/realms/realm[. = '<a href="http://AMER.DELL.COM">AMER.DELL.COM</a>' ]<br>defnode libdefaults /files/tmp/krb5.conf/libdefaults<br>set $realms_AMER_DELL_COM <a href="http://AMER.DELL.COM">AMER.DELL.COM</a><br>set $realms_AMER_DELL_COM/#comment LANDMARK<br>set $realms_AMER_DELL_COM/auth_to_local[1] 'RULE:[1:$1]'<br>set $realms_AMER_DELL_COM/auth_to_local[2] 'DEFAULT'<br>set $libdefaults/default_realm <a href="http://AMER.DELL.COM">AMER.DELL.COM</a><br>set $libdefaults/dns_lookup_kdc true<br>set /files/etc/krb5.conf/libdefaults/rdns false<br>set /files/etc/krb5.conf/domain_realm/.<a href="http://isus.emc.com">isus.emc.com</a> <a href="http://AMER.DELL.COM">AMER.DELL.COM</a><br>save<br></div><div><br></div><div>I run it thusly:  augtool --noautoload -f krb5.aug</div><br><div># Configuration snippets may be placed in this directory as well<br>includedir /etc/krb5.conf.d/<br><br>[logging]<br> default = FILE:/var/log/krb5libs.log<br> kdc = FILE:/var/log/krb5kdc.log<br> admin_server = FILE:/var/log/kadmind.log<br><br>[libdefaults]<br> default_realm = <a href="http://AMER.DELL.COM">AMER.DELL.COM</a><br> dns_lookup_kdc = true<br> default_etypes_des = des-cbc-crc<br> default_tgs_enctypes = arcfour-hmac-md5<br> default_tkt_enctypes = arcfour-hmac-md5<br><br>[realms]<br><a href="http://AMER.DELL.COM">AMER.DELL.COM</a> = {<br>   #LANDMARK<br>auth_to_local = RULE:[1:$1]<br>auth_to_local = DEFAULT<br>}<br>[domain_realm]<br># .<a href="http://example.com">example.com</a> = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br># <a href="http://example.com">example.com</a> = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a><br>.<a href="http://isus.emc.com">isus.emc.com</a> = <a href="http://AMER.DELL.COM">AMER.DELL.COM</a><br></div><div><br></div><div>Here's my problem.  I want to restrict my /default_tgs_enctypes and default_tkt_enctypes to only the strong-ish encryption types (I know the arcfour-hmac-md5 is not terribly strong today).</div><div><br></div><div>so if i change my krb5.aug file to this:</div><div><br></div><div>set /augeas/load/Krb5/incl "/tmp/krb5.conf"<br>set /augeas/load/Krb5/lens "Krb5.lns"<br>load<br>defnode realms_AMER_DELL_COM /files/tmp/krb5.conf/realms/realm[. = '<a href="http://AMER.DELL.COM">AMER.DELL.COM</a>' ]<br>defnode libdefaults /files/tmp/krb5.conf/libdefaults<br>set $realms_AMER_DELL_COM <a href="http://AMER.DELL.COM">AMER.DELL.COM</a><br>set $realms_AMER_DELL_COM/#comment LANDMARK<br>set $realms_AMER_DELL_COM/auth_to_local[1] 'RULE:[1:$1]'<br>set $realms_AMER_DELL_COM/auth_to_local[2] 'DEFAULT'<br>set $libdefaults/default_realm <a href="http://AMER.DELL.COM">AMER.DELL.COM</a><br>set $libdefaults/dns_lookup_kdc true<br>set $libdefaults/default_tgs_enctypes[1] 'arcfour-hmac-md5'<br>set $libdefaults/default_tgs_enctypes[2] 'aes128-cts-hmac-sha1-96'<br>set $libdefaults/default_tgs_enctypes[3] 'aes256-cts-hmac-sha1-96'<br>set $libdefaults/default_tkt_enctypes[1] 'arcfour-hmac-md5'<br>set $libdefaults/default_tkt_enctypes[2] 'aes128-cts-hmac-sha1-96'<br>set $libdefaults/default_tkt_enctypes[3] 'aes256-cts-hmac-sha1-96'<br>set /files/etc/krb5.conf/libdefaults/rdns false<br>set /files/etc/krb5.conf/domain_realm/.<a href="http://isus.emc.com">isus.emc.com</a> <a href="http://AMER.DELL.COM">AMER.DELL.COM</a><br>save<br></div><div><br></div><div>It fails.  The only extra lines are the 

$libdefaults/default_tgs_enctypes and the 

$libdefaults/default_tkt_enctypes set lines.</div><div><br></div><div>However, if I change my /tmp/krb5.conf file so that 3 default_tgs_enctypes and 3 default_tkt_enctypes already exist, it succeeds.</div><div><br></div><div>Example before:</div><div>...</div><div>[libdefaults]<br> ...<br> default_tgs_enctypes = des-cbc-crc des-cbc-crc des-cbc-crc<br> default_tkt_enctypes = des-cbc-crc des-cbc-crc des-cbc-crc<br></div><div><br></div><div>then run augtool --noautoload -f /tmp/krb5.aug</div><div><br></div><div>After:</div><div>[libdefaults]<br>...<br> default_tgs_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96<br> default_tkt_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96<br><br></div><div>I thought "set" operator was supposed to create a node entry if it didn't already exist.</div><div><br></div><div>Why does it fail to modify these entries, unless the lines already exist, with 3 entries already?</div><div><br></div><div>Spike</div><div><br></div><div><br></div></div>