<div dir="ltr">In summary,  here's a simple augtool file:<div><br></div><div>set /augeas/load/Krb5/incl "/etc/krb5.conf"<br>set /augeas/load/Krb5/lens "Krb5.lns"<br>load<br>defnode libdefaults /files/etc/krb5.conf/libdefaults<br>set $libdefaults/default_tgs_enctypes[1] 'arcfour-hmac-md5'<br>set $libdefaults/default_tgs_enctypes[2] 'aes128-cts-hmac-sha1-96'<br>set $libdefaults/default_tgs_enctypes[3] 'aes256-cts-hmac-sha1-96'<br>set $libdefaults/default_tkt_enctypes[1] 'arcfour-hmac-md5'<br>set $libdefaults/default_tkt_enctypes[2] 'aes128-cts-hmac-sha1-96'<br>set $libdefaults/default_tkt_enctypes[3] 'aes256-cts-hmac-sha1-96'<br>save<br>print /augeas//error<br></div><div><br></div><div>Here's a simple /etc/krb5.conf file:</div><div><br></div><div>[libdefaults]<br> default_realm = <a href="http://AMER.DELL.COM">AMER.DELL.COM</a><br> ticket_lifetime = 36000<br> forwardable = true<br><br>[domain_realm]<br> <a href="http://auspslpltinf1.us.dell.com">auspslpltinf1.us.dell.com</a> = <a href="http://AMER.DELL.COM">AMER.DELL.COM</a><br></div><div><br></div><div>Here's the augtool invocation:</div><div><br></div><div>augtool --noautoload -f krb5.aug<br></div><div><br></div><div>Here's the error:</div><div><br></div><div>[root@auspslpltinf1 tmp]# augtool --noautoload -f krb5.aug<br>error: Failed to execute command<br>saving failed (run 'print /augeas//error' for details)<br>/augeas/files/etc/krb5.conf/error = "put_failed"<br>/augeas/files/etc/krb5.conf/error/path = "/files/etc/krb5.conf/libdefaults"<br>/augeas/files/etc/krb5.conf/error/lens = "/usr/share/augeas/lenses/dist/inifile.aug:353.27-354.17:"<br>/augeas/files/etc/krb5.conf/error/message = "Failed to match \n    ({ /[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc][Tt][Yy][Pp][Ee](([Ss][.0-9A-Z_a-z-]|[.0-9A-RT-Z_a-rt-z-])[.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc][Tt][Yy][Pp]([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc][Tt][Yy]([.0-9A-OQ-Z_a-oq-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc][Tt]([.0-9A-XZ_a-xz-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn]([.0-9ABD-Z_abd-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee]([.0-9A-MO-Z_a-mo-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]([.0-9A-Za-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc][Tt][Yy][Pp][Ee](([Ss][.0-9A-Z_a-z-]|[.0-9A-RT-Z_a-rt-z-])[.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc][Tt][Yy][Pp]([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc][Tt][Yy]([.0-9A-OQ-Z_a-oq-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc][Tt]([.0-9A-XZ_a-xz-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn]([.0-9ABD-Z_abd-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee]([.0-9A-MO-Z_a-mo-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]([.0-9A-Za-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg]([.0-9A-RT-Z_a-rt-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt]([.0-9A-FH-JL-Z_a-fh-jl-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]([.0-9A-Za-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu]([.0-9A-KM-Z_a-km-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa]([.0-9A-TV-Z_a-tv-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff]([.0-9B-Z_b-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee]([.0-9A-EG-Z_a-eg-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc][Tt][Yy][Pp][Ee](([Ss][.0-9A-Z_a-z-]|[.0-9A-RT-Z_a-rt-z-])[.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc][Tt][Yy][Pp]([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc][Tt][Yy]([.0-9A-OQ-Z_a-oq-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc][Tt]([.0-9A-XZ_a-xz-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn]([.0-9ABD-Z_abd-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee]([.0-9A-MO-Z_a-mo-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]([.0-9A-Za-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee]([.0-9A-CE-Z_a-ce-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt]([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm]([.0-9A-HJ-Z_a-hj-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr]([.0-9A-LN-Z_a-ln-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee]([.0-9A-QS-Z_a-qs-z-][.0-9A-Z_a-z-]*|)|([Pp][.0-9A-DF-Z_a-df-z-]|[Dd][.0-9A-DF-Z_a-df-z-]|[.0-9A-CE-OQ-Z_a-ce-oq-uw-z-][.0-9A-Z_a-z-])([.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|)|(v4_name_convert[.0-9A-Z_a-z-][.0-9A-Z_a-z-]|v4_name_conver[.0-9A-Z_a-su-z-][.0-9A-Z_a-z-])[.0-9A-Z_a-z-]*|v4_name_convert[.0-9A-Z_a-z-]|v4_name_conver[.0-9A-Z_a-su-z-]|v4_name_conver|v4_name_conve[.0-9A-Z_a-qs-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_conve[.0-9A-Z_a-qs-z-]|v4_name_conve|v4_na[.0-9A-Z_a-ln-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_na[.0-9A-Z_a-ln-z-]|v4_na|v[.0-35-9A-Z_a-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v[.0-35-9A-Z_a-z-]|v4[.0-9A-Za-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4[.0-9A-Za-z-]|v4|v4_n[.0-9A-Z_b-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_n[.0-9A-Z_b-z-]|v4_n|v4_[.0-9A-Z_a-mo-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_[.0-9A-Z_a-mo-z-]|v4_|v4_nam[.0-9A-Z_a-df-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_nam[.0-9A-Z_a-df-z-]|v4_nam|v4_name_conv[.0-9A-Z_a-df-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_conv[.0-9A-Z_a-df-z-]|v4_name_conv|v4_name_con[.0-9A-Z_a-uw-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_con[.0-9A-Z_a-uw-z-]|v4_name_con|v4_name_co[.0-9A-Z_a-mo-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_co[.0-9A-Z_a-mo-z-]|v4_name_co|v4_name_c[.0-9A-Z_a-np-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_c[.0-9A-Z_a-np-z-]|v4_name_c|v4_name_[.0-9A-Z_abd-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_[.0-9A-Z_abd-z-]|v4_name_|v4_name[.0-9A-Za-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name[.0-9A-Za-z-]|v4_name|v|[Pp]|[Dd]|[.0-9A-CE-OQ-Z_a-ce-oq-uw-z-]/ = /[^\\001-\\004\\t\\n #;]+/ } | { /#comment/ = /(([^\\001-\\004\\t\\n ][^\\001-\\004\\n]*[^\\001-\\004\\t\\n ]|[^\\001-\\004\\t\\n ]))?/ } | { /permitted_enctypes/ = /[0-9A-Za-z-]{3,}/ }({ /permitted_enctypes/ = /[0-9A-Za-z-]{3,}/ })*({ /#comment/ = /(([^\\001-\\004\\t\\n ][^\\001-\\004\\n]*[^\\001-\\004\\t\\n ]|[^\\001-\\004\\t\\n ]))?/ } | ()){ /#eol/ } | { /default_tgs_enctypes/ = /[0-9A-Za-z-]{3,}/ }({ /default_tgs_enctypes/ = /[0-9A-Za-z-]{3,}/ })*({ /#comment/ = /(([^\\001-\\004\\t\\n ][^\\001-\\004\\n]*[^\\001-\\004\\t\\n ]|[^\\001-\\004\\t\\n ]))?/ } | ()){ /#eol/ } | { /default_tkt_enctypes/ = /[0-9A-Za-z-]{3,}/ }({ /default_tkt_enctypes/ = /[0-9A-Za-z-]{3,}/ })*({ /#comment/ = /(([^\\001-\\004\\t\\n ][^\\001-\\004\\n]*[^\\001-\\004\\t\\n ]|[^\\001-\\004\\t\\n ]))?/ } | ()){ /#eol/ } | { /v4_name_convert/ } | { })*\n  with tree\n    { \"default_realm\" = \"<a href="http://AMER.DELL.COM">AMER.DELL.COM</a>\" } { \"ticket_lifetime\" = \"36000\" } { \"forwardable\" = \"true\" } {  } { \"default_tgs_enctypes\" = \"arcfour-hmac-md5\" } { \"default_tgs_enctypes\" = \"aes128-cts-hmac-sha1-96\" } { \"default_tgs_enctypes\" = \"aes256-cts-hmac-sha1-96\" } { \"default_tkt_enctypes\" = \"arcfour-hmac-md5\" } { \"default_tkt_enctypes\" = \"aes128-cts-hmac-sha1-96\" } { \"default_tkt_enctypes\" = \"aes256-cts-hmac-sha1-96\" }"<br></div><div><br></div><div>If I manually fix up the /etc/krb5.conf file:</div><div><br></div><div>[libdefaults]<br>  default_tgs_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96<br>  default_tkt_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96<br> default_realm = <a href="http://AMER.DELL.COM">AMER.DELL.COM</a><br> ticket_lifetime = 36000<br> forwardable = true<br><br>[domain_realm]<br> <a href="http://auspslpltinf1.us.dell.com">auspslpltinf1.us.dell.com</a> = <a href="http://AMER.DELL.COM">AMER.DELL.COM</a><br></div><div><br></div><div>the augtool invocation works fine.</div><div><br></div><div>Spike</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 18, 2021 at 12:46 PM Spike White <<a href="mailto:spikewhitetx@gmail.com">spikewhitetx@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">augeas experts,<div><br></div><div>I am trying to update my /etc/krb5.conf.  I'm testing (for now) with a /tmp/krb5.conf file on RHEL7.</div><div><br></div><div>I have to have it not autoload all files, as there's some syntax in some other files augeas doesn't understand.</div><div><br></div><div>Here is my old krb5.aug file (which works).</div><div><br></div><div>set /augeas/load/Krb5/incl "/tmp/krb5.conf"<br>set /augeas/load/Krb5/lens "Krb5.lns"<br>load<br>defnode realms_AMER_DELL_COM /files/tmp/krb5.conf/realms/realm[. = '<a href="http://AMER.DELL.COM" target="_blank">AMER.DELL.COM</a>' ]<br>defnode libdefaults /files/tmp/krb5.conf/libdefaults<br>set $realms_AMER_DELL_COM <a href="http://AMER.DELL.COM" target="_blank">AMER.DELL.COM</a><br>set $realms_AMER_DELL_COM/#comment LANDMARK<br>set $realms_AMER_DELL_COM/auth_to_local[1] 'RULE:[1:$1]'<br>set $realms_AMER_DELL_COM/auth_to_local[2] 'DEFAULT'<br>set $libdefaults/default_realm <a href="http://AMER.DELL.COM" target="_blank">AMER.DELL.COM</a><br>set $libdefaults/dns_lookup_kdc true<br>set /files/etc/krb5.conf/libdefaults/rdns false<br>set /files/etc/krb5.conf/domain_realm/.<a href="http://isus.emc.com" target="_blank">isus.emc.com</a> <a href="http://AMER.DELL.COM" target="_blank">AMER.DELL.COM</a><br>save<br></div><div><br></div><div>I run it thusly:  augtool --noautoload -f krb5.aug</div><br><div># Configuration snippets may be placed in this directory as well<br>includedir /etc/krb5.conf.d/<br><br>[logging]<br> default = FILE:/var/log/krb5libs.log<br> kdc = FILE:/var/log/krb5kdc.log<br> admin_server = FILE:/var/log/kadmind.log<br><br>[libdefaults]<br> default_realm = <a href="http://AMER.DELL.COM" target="_blank">AMER.DELL.COM</a><br> dns_lookup_kdc = true<br> default_etypes_des = des-cbc-crc<br> default_tgs_enctypes = arcfour-hmac-md5<br> default_tkt_enctypes = arcfour-hmac-md5<br><br>[realms]<br><a href="http://AMER.DELL.COM" target="_blank">AMER.DELL.COM</a> = {<br>   #LANDMARK<br>auth_to_local = RULE:[1:$1]<br>auth_to_local = DEFAULT<br>}<br>[domain_realm]<br># .<a href="http://example.com" target="_blank">example.com</a> = <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a><br># <a href="http://example.com" target="_blank">example.com</a> = <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a><br>.<a href="http://isus.emc.com" target="_blank">isus.emc.com</a> = <a href="http://AMER.DELL.COM" target="_blank">AMER.DELL.COM</a><br></div><div><br></div><div>Here's my problem.  I want to restrict my /default_tgs_enctypes and default_tkt_enctypes to only the strong-ish encryption types (I know the arcfour-hmac-md5 is not terribly strong today).</div><div><br></div><div>so if i change my krb5.aug file to this:</div><div><br></div><div>set /augeas/load/Krb5/incl "/tmp/krb5.conf"<br>set /augeas/load/Krb5/lens "Krb5.lns"<br>load<br>defnode realms_AMER_DELL_COM /files/tmp/krb5.conf/realms/realm[. = '<a href="http://AMER.DELL.COM" target="_blank">AMER.DELL.COM</a>' ]<br>defnode libdefaults /files/tmp/krb5.conf/libdefaults<br>set $realms_AMER_DELL_COM <a href="http://AMER.DELL.COM" target="_blank">AMER.DELL.COM</a><br>set $realms_AMER_DELL_COM/#comment LANDMARK<br>set $realms_AMER_DELL_COM/auth_to_local[1] 'RULE:[1:$1]'<br>set $realms_AMER_DELL_COM/auth_to_local[2] 'DEFAULT'<br>set $libdefaults/default_realm <a href="http://AMER.DELL.COM" target="_blank">AMER.DELL.COM</a><br>set $libdefaults/dns_lookup_kdc true<br>set $libdefaults/default_tgs_enctypes[1] 'arcfour-hmac-md5'<br>set $libdefaults/default_tgs_enctypes[2] 'aes128-cts-hmac-sha1-96'<br>set $libdefaults/default_tgs_enctypes[3] 'aes256-cts-hmac-sha1-96'<br>set $libdefaults/default_tkt_enctypes[1] 'arcfour-hmac-md5'<br>set $libdefaults/default_tkt_enctypes[2] 'aes128-cts-hmac-sha1-96'<br>set $libdefaults/default_tkt_enctypes[3] 'aes256-cts-hmac-sha1-96'<br>set /files/etc/krb5.conf/libdefaults/rdns false<br>set /files/etc/krb5.conf/domain_realm/.<a href="http://isus.emc.com" target="_blank">isus.emc.com</a> <a href="http://AMER.DELL.COM" target="_blank">AMER.DELL.COM</a><br>save<br></div><div><br></div><div>It fails.  The only extra lines are the 

$libdefaults/default_tgs_enctypes and the 

$libdefaults/default_tkt_enctypes set lines.</div><div><br></div><div>However, if I change my /tmp/krb5.conf file so that 3 default_tgs_enctypes and 3 default_tkt_enctypes already exist, it succeeds.</div><div><br></div><div>Example before:</div><div>...</div><div>[libdefaults]<br> ...<br> default_tgs_enctypes = des-cbc-crc des-cbc-crc des-cbc-crc<br> default_tkt_enctypes = des-cbc-crc des-cbc-crc des-cbc-crc<br></div><div><br></div><div>then run augtool --noautoload -f /tmp/krb5.aug</div><div><br></div><div>After:</div><div>[libdefaults]<br>...<br> default_tgs_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96<br> default_tkt_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96<br><br></div><div>I thought "set" operator was supposed to create a node entry if it didn't already exist.</div><div><br></div><div>Why does it fail to modify these entries, unless the lines already exist, with 3 entries already?</div><div><br></div><div>Spike</div><div><br></div><div><br></div></div>
</blockquote></div>