[augeas-devel] [PATCH] Krb5: lens and tests for /etc/krb5.conf
David Lutterkort
lutter at redhat.com
Fri Mar 27 21:02:50 UTC 2009
---
lenses/krb5.aug | 120 ++++++
lenses/tests/test_krb5.aug | 864 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 984 insertions(+), 0 deletions(-)
create mode 100644 lenses/krb5.aug
create mode 100644 lenses/tests/test_krb5.aug
diff --git a/lenses/krb5.aug b/lenses/krb5.aug
new file mode 100644
index 0000000..a64ac23
--- /dev/null
+++ b/lenses/krb5.aug
@@ -0,0 +1,120 @@
+module Krb5 =
+
+autoload xfm
+
+let comment = Inifile.comment "#" "#"
+let empty = Inifile.empty
+let eol = Inifile.eol
+let dels = Util.del_str
+
+let indent = del /[ \t]*/ ""
+let eq = del /[ \t]*=[ \t]*/ " = "
+let eq_openbr = del /[ \t]*=[ \t\n]*\{([ \t]*\n)*/ " = {"
+let closebr = del /[ \t]*\}/ "}"
+
+(* These two regexps for realms and apps are not entirely true
+ - strictly speaking, there's no requirement that a realm is all upper case
+ and an application only uses lowercase. But it's what's used in practice.
+
+ Without that distinction we couldn't distinguish between applications
+ and realms in the [appdefaults] section.
+*)
+
+let realm_re = /[.A-Z-]+/
+let app_re = /[a-z0-9_]+/
+let name_re = /[.a-zA-Z0-9_-]+/
+
+let value = store /[^;# \t\n{}]+/
+let entry (kw:regexp) (sep:lens) (comment:lens)
+ = [ indent . key kw . sep . value . (comment|eol) ] | comment
+
+let simple_section (n:string) (k:regexp) =
+ let title = Inifile.indented_title n in
+ let entry = entry k eq comment in
+ Inifile.record title entry
+
+let record (t:string) (e:lens) =
+ let title = Inifile.indented_title t in
+ Inifile.record title e
+
+let libdefaults =
+ simple_section "libdefaults" /[a-zA-Z0-9_]+/
+
+let login =
+ let keys = /krb[45]_get_tickets|krb4_convert|krb_run_aklog/
+ |/aklog_path|accept_passwd/ in
+ simple_section "login" keys
+
+let appdefaults =
+ let option = entry (name_re - "realm" - "application") eq comment in
+ let realm = [ indent . label "realm" . store realm_re .
+ eq_openbr . option* . closebr . eol ] in
+ let app = [ indent . label "application" . store app_re .
+ eq_openbr . (realm|option)* . closebr . eol] in
+ record "appdefaults" (option|realm|app)
+
+let realms =
+ let simple_option = /kdc|admin_server|database_module|default_domain/
+ |/v4_realm|auth_to_local(_names)?|master_kdc|kpasswd_server/
+ |/admin_server/ in
+ let subsec_option = /v4_instance_convert/ in
+ let option = entry simple_option eq comment in
+ let subsec = [ indent . key subsec_option . eq_openbr .
+ (entry name_re eq comment)* . closebr . eol ] in
+ let realm = [ indent . label "realm" . store realm_re .
+ eq_openbr . (option|subsec)* . closebr . eol ] in
+ record "realms" (realm|comment)
+
+let domain_realm =
+ simple_section "domain_realm" name_re
+
+let logging =
+ let keys = /kdc|admin_server|default/ in
+ let xchg (m:regexp) (d:string) (l:string) =
+ del m d . label l in
+ let xchgs (m:string) (l:string) = xchg m m l in
+ let dest =
+ [ xchg /FILE[=:]/ "FILE=" "file" . value ]
+ |[ xchgs "STDERR" "stderr" ]
+ |[ xchgs "CONSOLE" "console" ]
+ |[ xchgs "DEVICE=" "device" . value ]
+ |[ xchgs "SYSLOG" "syslog" .
+ ([ xchgs ":" "severity" . store /[A-Za-z0-9]+/ ].
+ [ xchgs ":" "facility" . store /[A-Za-z0-9]+/ ]?)? ] in
+ let entry = [ indent . key keys . eq . dest . (comment|eol) ] | comment in
+ record "logging" entry
+
+let capaths =
+ let realm = [ indent . key realm_re .
+ eq_openbr .
+ (entry realm_re eq comment)* . closebr . eol ] in
+ record "capaths" (realm|comment)
+
+let dbdefaults =
+ let keys = /database_module|ldap_kerberos_container_dn|ldap_kdc_dn/
+ |/ldap_kadmind_dn|ldap_service_password_file|ldap_servers/
+ |/ldap_conns_per_server/ in
+ simple_section "dbdefaults" keys
+
+let dbmodules =
+ let keys = /db_library|ldap_kerberos_container_dn|ldap_kdc_dn/
+ |/ldap_kadmind_dn|ldap_service_password_file|ldap_servers/
+ |/ldap_conns_per_server/ in
+ simple_section "dbmodules" keys
+
+(* This section is not documented in the krb5.conf manpage,
+ but the Fermi example uses it. *)
+let instance_mapping =
+ let value = dels "\"" . store /[^;# \t\n{}]*/ . dels "\"" in
+ let map_node = label "mapping" . store /[a-zA-Z0-9\/*]+/ in
+ let mapping = [ indent . map_node . eq .
+ [ label "value" . value ] . (comment|eol) ] in
+ let instance = [ indent . key name_re .
+ eq_openbr . (mapping|comment)* . closebr . eol ] in
+ record "instancemapping" instance
+
+let lns = (comment|empty)* .
+ (libdefaults|login|appdefaults|realms|domain_realm
+ |logging|capaths|dbdefaults|dbmodules|instance_mapping)*
+
+let xfm = transform lns (incl "/etc/krb5.conf")
diff --git a/lenses/tests/test_krb5.aug b/lenses/tests/test_krb5.aug
new file mode 100644
index 0000000..3060664
--- /dev/null
+++ b/lenses/tests/test_krb5.aug
@@ -0,0 +1,864 @@
+module Test_krb5 =
+
+ (* Krb5.conf from Fermi labs *)
+ let fermi_str = "###
+### This krb5.conf template is intended for use with Fermi
+### Kerberos v1_2 and later. Earlier versions may choke on the
+### \"auth_to_local = \" lines unless they are commented out.
+### The installation process should do all the right things in
+### any case, but if you are reading this and haven't updated
+### your kerberos product to v1_2 or later, you really should!
+###
+[libdefaults]
+ ticket_lifetime = 1560m
+ default_realm = FNAL.GOV
+ ccache_type = 4
+ default_tgs_enCtypes = des-cbc-crc
+ default_tkt_enctypes = des-cbc-crc
+ default_lifetime = 7d
+ renew_lifetime = 7d
+ autologin = true
+ forward = true
+ forwardable = true
+ renewable = true
+ encrypt = true
+
+[realms]
+ FNAL.GOV = {
+ kdc = krb-fnal-1.fnal.gov:88
+ kdc = krb-fnal-2.fnal.gov:88
+ kdc = krb-fnal-3.fnal.gov:88
+ kdc = krb-fnal-4.fnal.gov:88
+ kdc = krb-fnal-5.fnal.gov:88
+ kdc = krb-fnal-6.fnal.gov:88
+ kdc = krb-fnal-7.fnal.gov:88
+ master_kdc = krb-fnal-admin.fnal.gov:88
+ admin_server = krb-fnal-admin.fnal.gov
+ default_domain = fnal.gov
+ }
+ WIN.FNAL.GOV = {
+ kdc = littlebird.win.fnal.gov:88
+ kdc = bigbird.win.fnal.gov:88
+ default_domain = fnal.gov
+ }
+ FERMI.WIN.FNAL.GOV = {
+ kdc = sully.fermi.win.fnal.gov:88
+ kdc = elmo.fermi.win.fnal.gov:88
+ kdc = grover.fermi.win.fnal.gov:88
+ kdc = oscar.fermi.win.fnal.gov:88
+ kdc = cookie.fermi.win.fnal.gov:88
+ kdc = herry.fermi.win.fnal.gov:88
+ default_domain = fnal.gov
+ }
+ UCHICAGO.EDU = {
+ kdc = kerberos-0.uchicago.edu
+ kdc = kerberos-1.uchicago.edu
+ kdc = kerberos-2.uchicago.edu
+ admin_server = kerberos.uchicago.edu
+ default_domain = uchicago.edu
+ }
+ PILOT.FNAL.GOV = {
+ kdc = i-krb-2.fnal.gov:88
+ master_kdc = i-krb-2.fnal.gov:88
+ admin_server = i-krb-2.fnal.gov
+ default_domain = fnal.gov
+ }
+ WINBETA.FNAL.GOV = {
+ kdc = wbdc1.winbeta.fnal.gov:88
+ kdc = wbdc2.winbeta.fnal.gov:88
+ default_domain = fnal.gov
+ }
+ FERMIBETA.WINBETA.FNAL.GOV = {
+ kdc = fbdc1.fermibeta.winbeta.fnal.gov:88
+ kdc = fbdc2.fermibeta.winbeta.fnal.gov:88
+ default_domain = fnal.gov
+ }
+ CERN.CH = {
+ kdc = afsdb2.cern.ch
+ kdc = afsdb3.cern.ch
+ kdc = afsdb1.cern.ch
+ default_domain = cern.ch
+ kpasswd_server = afskrb5m.cern.ch
+ admin_server = afskrb5m.cern.ch
+ }
+
+[instancemapping]
+ afs = {
+ cron/* = \"\"
+ cms/* = \"\"
+ afs/* = \"\"
+ e898/* = \"\"
+ }
+
+[capaths]
+
+# FNAL.GOV and PILOT.FNAL.GOV are the MIT Kerberos Domains
+# FNAL.GOV is production and PILOT is for testing
+# The FERMI Windows domain uses the WIN.FNAL.GOV root realm
+# with the FERMI.WIN.FNAL.GOV sub-realm where machines and users
+# reside. The WINBETA and FERMIBETA domains are the equivalent
+# testing realms for the FERMIBETA domain. The 2-way transitive
+# trust structure of this complex is as follows:
+#
+# FNAL.GOV <=> PILOT.FNAL.GOV
+# FNAL.GOV <=> WIN.FERMI.GOV <=> FERMI.WIN.FERMI.GOV
+# PILOT.FNAL.GOV <=> WINBETA.FNAL.GOV <=> FERMIBETA.WINBETA.FNAL.GOV
+
+FNAL.GOV = {
+ PILOT.FNAL.GOV = .
+ FERMI.WIN.FNAL.GOV = WIN.FNAL.GOV
+ WIN.FNAL.GOV = .
+ FERMIBETA.WINBETA.FNAL.GOV = WINBETA.FNAL.GOV
+ WINBETA.FNAL.GOV = PILOT.FNAL.GOV
+}
+PILOT.FNAL.GOV = {
+ FNAL.GOV = .
+ FERMI.WIN.FNAL.GOV = WIN.FNAL.GOV
+ WIN.FNAL.GOV = FNAL.GOV
+ FERMIBETA.WINBETA.FNAL.GOV = WINBETA.FNAL.GOV
+ WINBETA.FNAL.GOV = .
+}
+WIN.FNAL.GOV = {
+ FNAL.GOV = .
+ PILOT.FNAL.GOV = FNAL.GOV
+ FERMI.WIN.FNAL.GOV = .
+ FERMIBETA.WINBETA.FNAL.GOV = WINBETA.FNAL.GOV
+ WINBETA.FNAL.GOV = PILOT.FNAL.GOV
+}
+WINBETA.FNAL.GOV = {
+ PILOT.FNAL.GOV = .
+ FERMIBETA.WINBETA.FNAL.GOV = .
+ FNAL.GOV = PILOT.FNAL.GOV
+ FERMI.WIN.FNAL.GOV = WIN.FNAL.GOV
+ WIN.FNAL.GOV = PILOT.FNAL.GOV
+}
+
+[logging]
+ kdc = SYSLOG:info:local1
+ admin_server = SYSLOG:info:local2
+ default = SYSLOG:err:auth
+
+[domain_realm]
+# Fermilab's (non-windows-centric) domains
+ .fnal.gov = FNAL.GOV
+ .cdms-soudan.org = FNAL.GOV
+ .deemz.net = FNAL.GOV
+ .dhcp.fnal.gov = FNAL.GOV
+ .minos-soudan.org = FNAL.GOV
+ i-krb-2.fnal.gov = PILOT.FNAL.GOV
+ .win.fnal.gov = WIN.FNAL.GOV
+ .fermi.win.fnal.gov = FERMI.WIN.FNAL.GOV
+ .winbeta.fnal.gov = WINBETA.FNAL.GOV
+ .fermibeta.winbeta.fnal.gov = FERMIBETA.WINBETA.FNAL.GOV
+# Fermilab's KCA servers so FERMI.WIN principals work in FNAL.GOV realm
+# winserver.fnal.gov = FERMI.WIN.FNAL.GOV
+# winserver2.fnal.gov = FERMI.WIN.FNAL.GOVA
+# Accelerator nodes to FERMI.WIN for Linux/OS X users
+ adgroups.fnal.gov = FERMI.WIN.FNAL.GOV
+ adusers.fnal.gov = FERMI.WIN.FNAL.GOV
+ webad.fnal.gov = FERMI.WIN.FNAL.GOV
+# Friends and family (by request)
+ .cs.ttu.edu = FNAL.GOV
+ .geol.uniovi.es = FNAL.GOV
+ .harvard.edu = FNAL.GOV
+ .hpcc.ttu.edu = FNAL.GOV
+ .infn.it = FNAL.GOV
+ .knu.ac.kr = FNAL.GOV
+ .lns.mit.edu = FNAL.GOV
+ .ph.liv.ac.uk = FNAL.GOV
+ .pha.jhu.edu = FNAL.GOV
+ .phys.ttu.edu = FNAL.GOV
+ .phys.ualberta.ca = FNAL.GOV
+ .physics.lsa.umich.edu = FNAL.GOV
+ .physics.ucla.edu = FNAL.GOV
+ .physics.ucsb.edu = FNAL.GOV
+ .physics.utoronto.ca = FNAL.GOV
+ .rl.ac.uk = FNAL.GOV
+ .rockefeller.edu = FNAL.GOV
+ .rutgers.edu = FNAL.GOV
+ .sdsc.edu = FNAL.GOV
+ .sinica.edu.tw = FNAL.GOV
+ .tsukuba.jp.hep.net = FNAL.GOV
+ .ucsd.edu = FNAL.GOV
+ .unl.edu = FNAL.GOV
+ .in2p3.fr = FNAL.GOV
+ .wisc.edu = FNAL.GOV
+ .pic.org.es = FNAL.GOV
+ .kisti.re.kr = FNAL.GOV
+
+# The whole \"top half\" is replaced during \"ups installAsRoot krb5conf\", so:
+# It would probably be a bad idea to change anything on or above this line
+
+# If you need to add any .domains or hosts, put them here
+[domain_realm]
+ mojo.lunet.edu = FNAL.GOV
+
+[appdefaults]
+ default_lifetime = 7d
+ retain_ccache = false
+ autologin = true
+ forward = true
+ forwardable = true
+ renewable = true
+ encrypt = true
+ krb5_aklog_path = /usr/bin/aklog
+
+ telnet = {
+ }
+
+ rcp = {
+ forward = true
+ encrypt = false
+ allow_fallback = true
+ }
+
+ rsh = {
+ allow_fallback = true
+ }
+
+ rlogin = {
+ allow_fallback = false
+ }
+
+
+ login = {
+ forwardable = true
+ krb5_run_aklog = false
+ krb5_get_tickets = true
+ krb4_get_tickets = false
+ krb4_convert = false
+ }
+
+ kinit = {
+ forwardable = true
+ krb5_run_aklog = false
+ }
+
+ kadmin = {
+ forwardable = false
+ }
+
+ rshd = {
+ krb5_run_aklog = false
+ }
+
+ ftpd = {
+ krb5_run_aklog = false
+ default_lifetime = 10h
+ }
+
+ pam = {
+ debug = false
+ forwardable = true
+ renew_lifetime = 7d
+ ticket_lifetime = 1560m
+ krb4_convert = true
+ afs_cells = fnal.gov
+ krb5_run_aklog = false
+ }
+"
+
+test Krb5.lns get fermi_str =
+ { "#comment" = "##" }
+ { "#comment" = "## This krb5.conf template is intended for use with Fermi" }
+ { "#comment" = "## Kerberos v1_2 and later. Earlier versions may choke on the" }
+ { "#comment" = "## \"auth_to_local = \" lines unless they are commented out." }
+ { "#comment" = "## The installation process should do all the right things in" }
+ { "#comment" = "## any case, but if you are reading this and haven't updated" }
+ { "#comment" = "## your kerberos product to v1_2 or later, you really should!" }
+ { "#comment" = "##" }
+ { "libdefaults"
+ { "ticket_lifetime" = "1560m" }
+ { "default_realm" = "FNAL.GOV" }
+ { "ccache_type" = "4" }
+ { "default_tgs_enCtypes" = "des-cbc-crc" }
+ { "default_tkt_enctypes" = "des-cbc-crc" }
+ { "default_lifetime" = "7d" }
+ { "renew_lifetime" = "7d" }
+ { "autologin" = "true" }
+ { "forward" = "true" }
+ { "forwardable" = "true" }
+ { "renewable" = "true" }
+ { "encrypt" = "true" }
+ { } }
+ { "realms"
+ { "realm" = "FNAL.GOV"
+ { "kdc" = "krb-fnal-1.fnal.gov:88" }
+ { "kdc" = "krb-fnal-2.fnal.gov:88" }
+ { "kdc" = "krb-fnal-3.fnal.gov:88" }
+ { "kdc" = "krb-fnal-4.fnal.gov:88" }
+ { "kdc" = "krb-fnal-5.fnal.gov:88" }
+ { "kdc" = "krb-fnal-6.fnal.gov:88" }
+ { "kdc" = "krb-fnal-7.fnal.gov:88" }
+ { "master_kdc" = "krb-fnal-admin.fnal.gov:88" }
+ { "admin_server" = "krb-fnal-admin.fnal.gov" }
+ { "default_domain" = "fnal.gov" } }
+ { "realm" = "WIN.FNAL.GOV"
+ { "kdc" = "littlebird.win.fnal.gov:88" }
+ { "kdc" = "bigbird.win.fnal.gov:88" }
+ { "default_domain" = "fnal.gov" } }
+ { "realm" = "FERMI.WIN.FNAL.GOV"
+ { "kdc" = "sully.fermi.win.fnal.gov:88" }
+ { "kdc" = "elmo.fermi.win.fnal.gov:88" }
+ { "kdc" = "grover.fermi.win.fnal.gov:88" }
+ { "kdc" = "oscar.fermi.win.fnal.gov:88" }
+ { "kdc" = "cookie.fermi.win.fnal.gov:88" }
+ { "kdc" = "herry.fermi.win.fnal.gov:88" }
+ { "default_domain" = "fnal.gov" } }
+ { "realm" = "UCHICAGO.EDU"
+ { "kdc" = "kerberos-0.uchicago.edu" }
+ { "kdc" = "kerberos-1.uchicago.edu" }
+ { "kdc" = "kerberos-2.uchicago.edu" }
+ { "admin_server" = "kerberos.uchicago.edu" }
+ { "default_domain" = "uchicago.edu" } }
+ { "realm" = "PILOT.FNAL.GOV"
+ { "kdc" = "i-krb-2.fnal.gov:88" }
+ { "master_kdc" = "i-krb-2.fnal.gov:88" }
+ { "admin_server" = "i-krb-2.fnal.gov" }
+ { "default_domain" = "fnal.gov" } }
+ { "realm" = "WINBETA.FNAL.GOV"
+ { "kdc" = "wbdc1.winbeta.fnal.gov:88" }
+ { "kdc" = "wbdc2.winbeta.fnal.gov:88" }
+ { "default_domain" = "fnal.gov" } }
+ { "realm" = "FERMIBETA.WINBETA.FNAL.GOV"
+ { "kdc" = "fbdc1.fermibeta.winbeta.fnal.gov:88" }
+ { "kdc" = "fbdc2.fermibeta.winbeta.fnal.gov:88" }
+ { "default_domain" = "fnal.gov" } }
+ { "realm" = "CERN.CH"
+ { "kdc" = "afsdb2.cern.ch" }
+ { "kdc" = "afsdb3.cern.ch" }
+ { "kdc" = "afsdb1.cern.ch" }
+ { "default_domain" = "cern.ch" }
+ { "kpasswd_server" = "afskrb5m.cern.ch" }
+ { "admin_server" = "afskrb5m.cern.ch" } }
+ { } }
+ { "instancemapping"
+ { "afs"
+ { "mapping" = "cron/*" { "value" = "" } }
+ { "mapping" = "cms/*" { "value" = "" } }
+ { "mapping" = "afs/*" { "value" = "" } }
+ { "mapping" = "e898/*" { "value" = "" } } }
+ { } }
+ { "capaths"
+ { }
+ { "#comment" = "FNAL.GOV and PILOT.FNAL.GOV are the MIT Kerberos Domains" }
+ { "#comment" = "FNAL.GOV is production and PILOT is for testing" }
+ { "#comment" = "The FERMI Windows domain uses the WIN.FNAL.GOV root realm" }
+ { "#comment" = "with the FERMI.WIN.FNAL.GOV sub-realm where machines and users" }
+ { "#comment" = "reside. The WINBETA and FERMIBETA domains are the equivalent" }
+ { "#comment" = "testing realms for the FERMIBETA domain. The 2-way transitive" }
+ { "#comment" = "trust structure of this complex is as follows:" }
+ { "#comment" }
+ { "#comment" = "FNAL.GOV <=> PILOT.FNAL.GOV" }
+ { "#comment" = "FNAL.GOV <=> WIN.FERMI.GOV <=> FERMI.WIN.FERMI.GOV" }
+ { "#comment" = "PILOT.FNAL.GOV <=> WINBETA.FNAL.GOV <=> FERMIBETA.WINBETA.FNAL.GOV" }
+ { }
+ { "FNAL.GOV"
+ { "PILOT.FNAL.GOV" = "." }
+ { "FERMI.WIN.FNAL.GOV" = "WIN.FNAL.GOV" }
+ { "WIN.FNAL.GOV" = "." }
+ { "FERMIBETA.WINBETA.FNAL.GOV" = "WINBETA.FNAL.GOV" }
+ { "WINBETA.FNAL.GOV" = "PILOT.FNAL.GOV" } }
+ { "PILOT.FNAL.GOV"
+ { "FNAL.GOV" = "." }
+ { "FERMI.WIN.FNAL.GOV" = "WIN.FNAL.GOV" }
+ { "WIN.FNAL.GOV" = "FNAL.GOV" }
+ { "FERMIBETA.WINBETA.FNAL.GOV" = "WINBETA.FNAL.GOV" }
+ { "WINBETA.FNAL.GOV" = "." } }
+ { "WIN.FNAL.GOV"
+ { "FNAL.GOV" = "." }
+ { "PILOT.FNAL.GOV" = "FNAL.GOV" }
+ { "FERMI.WIN.FNAL.GOV" = "." }
+ { "FERMIBETA.WINBETA.FNAL.GOV" = "WINBETA.FNAL.GOV" }
+ { "WINBETA.FNAL.GOV" = "PILOT.FNAL.GOV" } }
+ { "WINBETA.FNAL.GOV"
+ { "PILOT.FNAL.GOV" = "." }
+ { "FERMIBETA.WINBETA.FNAL.GOV" = "." }
+ { "FNAL.GOV" = "PILOT.FNAL.GOV" }
+ { "FERMI.WIN.FNAL.GOV" = "WIN.FNAL.GOV" }
+ { "WIN.FNAL.GOV" = "PILOT.FNAL.GOV" } }
+ { } }
+ { "logging"
+ { "kdc"
+ { "syslog"
+ { "severity" = "info" }
+ { "facility" = "local1" } } }
+ { "admin_server"
+ { "syslog"
+ { "severity" = "info" }
+ { "facility" = "local2" } } }
+ { "default"
+ { "syslog"
+ { "severity" = "err" }
+ { "facility" = "auth" } } }
+ { } }
+ { "domain_realm"
+ { "#comment" = "Fermilab's (non-windows-centric) domains" }
+ { ".fnal.gov" = "FNAL.GOV" }
+ { ".cdms-soudan.org" = "FNAL.GOV" }
+ { ".deemz.net" = "FNAL.GOV" }
+ { ".dhcp.fnal.gov" = "FNAL.GOV" }
+ { ".minos-soudan.org" = "FNAL.GOV" }
+ { "i-krb-2.fnal.gov" = "PILOT.FNAL.GOV" }
+ { ".win.fnal.gov" = "WIN.FNAL.GOV" }
+ { ".fermi.win.fnal.gov" = "FERMI.WIN.FNAL.GOV" }
+ { ".winbeta.fnal.gov" = "WINBETA.FNAL.GOV" }
+ { ".fermibeta.winbeta.fnal.gov" = "FERMIBETA.WINBETA.FNAL.GOV" }
+ { "#comment" = "Fermilab's KCA servers so FERMI.WIN principals work in FNAL.GOV realm" }
+ { "#comment" = "winserver.fnal.gov = FERMI.WIN.FNAL.GOV" }
+ { "#comment" = "winserver2.fnal.gov = FERMI.WIN.FNAL.GOVA" }
+ { "#comment" = "Accelerator nodes to FERMI.WIN for Linux/OS X users" }
+ { "adgroups.fnal.gov" = "FERMI.WIN.FNAL.GOV" }
+ { "adusers.fnal.gov" = "FERMI.WIN.FNAL.GOV" }
+ { "webad.fnal.gov" = "FERMI.WIN.FNAL.GOV" }
+ { "#comment" = "Friends and family (by request)" }
+ { ".cs.ttu.edu" = "FNAL.GOV" }
+ { ".geol.uniovi.es" = "FNAL.GOV" }
+ { ".harvard.edu" = "FNAL.GOV" }
+ { ".hpcc.ttu.edu" = "FNAL.GOV" }
+ { ".infn.it" = "FNAL.GOV" }
+ { ".knu.ac.kr" = "FNAL.GOV" }
+ { ".lns.mit.edu" = "FNAL.GOV" }
+ { ".ph.liv.ac.uk" = "FNAL.GOV" }
+ { ".pha.jhu.edu" = "FNAL.GOV" }
+ { ".phys.ttu.edu" = "FNAL.GOV" }
+ { ".phys.ualberta.ca" = "FNAL.GOV" }
+ { ".physics.lsa.umich.edu" = "FNAL.GOV" }
+ { ".physics.ucla.edu" = "FNAL.GOV" }
+ { ".physics.ucsb.edu" = "FNAL.GOV" }
+ { ".physics.utoronto.ca" = "FNAL.GOV" }
+ { ".rl.ac.uk" = "FNAL.GOV" }
+ { ".rockefeller.edu" = "FNAL.GOV" }
+ { ".rutgers.edu" = "FNAL.GOV" }
+ { ".sdsc.edu" = "FNAL.GOV" }
+ { ".sinica.edu.tw" = "FNAL.GOV" }
+ { ".tsukuba.jp.hep.net" = "FNAL.GOV" }
+ { ".ucsd.edu" = "FNAL.GOV" }
+ { ".unl.edu" = "FNAL.GOV" }
+ { ".in2p3.fr" = "FNAL.GOV" }
+ { ".wisc.edu" = "FNAL.GOV" }
+ { ".pic.org.es" = "FNAL.GOV" }
+ { ".kisti.re.kr" = "FNAL.GOV" }
+ { }
+ { "#comment" = "The whole \"top half\" is replaced during \"ups installAsRoot krb5conf\", so:" }
+ { "#comment" = "It would probably be a bad idea to change anything on or above this line" }
+ { }
+ { "#comment" = "If you need to add any .domains or hosts, put them here" } }
+ { "domain_realm"
+ { "mojo.lunet.edu" = "FNAL.GOV" }
+ { } }
+ { "appdefaults"
+ { "default_lifetime" = "7d" }
+ { "retain_ccache" = "false" }
+ { "autologin" = "true" }
+ { "forward" = "true" }
+ { "forwardable" = "true" }
+ { "renewable" = "true" }
+ { "encrypt" = "true" }
+ { "krb5_aklog_path" = "/usr/bin/aklog" }
+ { }
+ { "application" = "telnet" }
+ { }
+ { "application" = "rcp"
+ { "forward" = "true" }
+ { "encrypt" = "false" }
+ { "allow_fallback" = "true" } }
+ { }
+ { "application" = "rsh"
+ { "allow_fallback" = "true" } }
+ { }
+ { "application" = "rlogin"
+ { "allow_fallback" = "false" } }
+ { }
+ { }
+ { "application" = "login"
+ { "forwardable" = "true" }
+ { "krb5_run_aklog" = "false" }
+ { "krb5_get_tickets" = "true" }
+ { "krb4_get_tickets" = "false" }
+ { "krb4_convert" = "false" } }
+ { }
+ { "application" = "kinit"
+ { "forwardable" = "true" }
+ { "krb5_run_aklog" = "false" } }
+ { }
+ { "application" = "kadmin"
+ { "forwardable" = "false" } }
+ { }
+ { "application" = "rshd"
+ { "krb5_run_aklog" = "false" } }
+ { }
+ { "application" = "ftpd"
+ { "krb5_run_aklog" = "false" }
+ { "default_lifetime" = "10h" } }
+ { }
+ { "application" = "pam"
+ { "debug" = "false" }
+ { "forwardable" = "true" }
+ { "renew_lifetime" = "7d" }
+ { "ticket_lifetime" = "1560m" }
+ { "krb4_convert" = "true" }
+ { "afs_cells" = "fnal.gov" }
+ { "krb5_run_aklog" = "false" } } }
+
+
+(* Example from the krb5 distrubution *)
+let dist_str = "[libdefaults]
+ default_realm = ATHENA.MIT.EDU
+ krb4_config = /usr/kerberos/lib/krb.conf
+ krb4_realms = /usr/kerberos/lib/krb.realms
+
+[realms]
+ ATHENA.MIT.EDU = {
+ admin_server = KERBEROS.MIT.EDU
+ default_domain = MIT.EDU
+ v4_instance_convert = {
+ mit = mit.edu
+ lithium = lithium.lcs.mit.edu
+ }
+ }
+ ANDREW.CMU.EDU = {
+ admin_server = vice28.fs.andrew.cmu.edu
+ }
+# use \"kdc =\" if realm admins haven't put SRV records into DNS
+ GNU.ORG = {
+ kdc = kerberos.gnu.org
+ kdc = kerberos-2.gnu.org
+ admin_server = kerberos.gnu.org
+ }
+
+[domain_realm]
+ .mit.edu = ATHENA.MIT.EDU
+ mit.edu = ATHENA.MIT.EDU
+ .media.mit.edu = MEDIA-LAB.MIT.EDU
+ media.mit.edu = MEDIA-LAB.MIT.EDU
+ .ucsc.edu = CATS.UCSC.EDU
+
+[logging]
+# kdc = CONSOLE
+"
+
+test Krb5.lns get dist_str =
+ { "libdefaults"
+ { "default_realm" = "ATHENA.MIT.EDU" }
+ { "krb4_config" = "/usr/kerberos/lib/krb.conf" }
+ { "krb4_realms" = "/usr/kerberos/lib/krb.realms" }
+ { } }
+ { "realms"
+ { "realm" = "ATHENA.MIT.EDU"
+ { "admin_server" = "KERBEROS.MIT.EDU" }
+ { "default_domain" = "MIT.EDU" }
+ { "v4_instance_convert"
+ { "mit" = "mit.edu" }
+ { "lithium" = "lithium.lcs.mit.edu" } } }
+ { "realm" = "ANDREW.CMU.EDU"
+ { "admin_server" = "vice28.fs.andrew.cmu.edu" } }
+ { "#comment" = "use \"kdc =\" if realm admins haven't put SRV records into DNS" }
+ { "realm" = "GNU.ORG"
+ { "kdc" = "kerberos.gnu.org" }
+ { "kdc" = "kerberos-2.gnu.org" }
+ { "admin_server" = "kerberos.gnu.org" } }
+ { } }
+ { "domain_realm"
+ { ".mit.edu" = "ATHENA.MIT.EDU" }
+ { "mit.edu" = "ATHENA.MIT.EDU" }
+ { ".media.mit.edu" = "MEDIA-LAB.MIT.EDU" }
+ { "media.mit.edu" = "MEDIA-LAB.MIT.EDU" }
+ { ".ucsc.edu" = "CATS.UCSC.EDU" }
+ { } }
+ { "logging"
+ { "#comment" = "kdc = CONSOLE" } }
+
+(* Test for [libdefaults] *)
+test Krb5.libdefaults get "[libdefaults]
+ default_realm = ATHENA.MIT.EDU
+ krb4_config = /usr/kerberos/lib/krb.conf
+ krb4_realms = /usr/kerberos/lib/krb.realms\n\n" =
+ { "libdefaults"
+ { "default_realm" = "ATHENA.MIT.EDU" }
+ { "krb4_config" = "/usr/kerberos/lib/krb.conf" }
+ { "krb4_realms" = "/usr/kerberos/lib/krb.realms" }
+ { } }
+
+(* Test for [appfdefaults] *)
+test Krb5.appdefaults get "[appdefaults]\n\tdefault_lifetime = 7d\n" =
+ { "appdefaults" { "default_lifetime" = "7d" } }
+
+test Krb5.appdefaults get
+ "[appdefaults]\nrcp = { \n forward = true\n encrypt = false\n }\n" =
+ { "appdefaults"
+ { "application" = "rcp"
+ { "forward" = "true" }
+ { "encrypt" = "false" } } }
+
+test Krb5.appdefaults get "[appdefaults]\ntelnet = {\n\t}\n" =
+ { "appdefaults" { "application" = "telnet" } }
+
+test Krb5.appdefaults get "[appdefaults]
+ rcp = {
+ forward = true
+ ATHENA.MIT.EDU = {
+ encrypt = false
+ }
+ MEDIA-LAB.MIT.EDU = {
+ encrypt = true
+ }
+ forwardable = true
+ }\n" =
+ { "appdefaults"
+ { "application" = "rcp"
+ { "forward" = "true" }
+ { "realm" = "ATHENA.MIT.EDU"
+ { "encrypt" = "false" } }
+ { "realm" = "MEDIA-LAB.MIT.EDU"
+ { "encrypt" = "true" } }
+ { "forwardable" = "true" } } }
+
+let appdef = "[appdefaults]
+ default_lifetime = 7d
+ retain_ccache = false
+ autologin = true
+ forward = true
+ forwardable = true
+ renewable = true
+ encrypt = true
+ krb5_aklog_path = /usr/bin/aklog
+
+ telnet = {
+ }
+
+ rcp = {
+ forward = true
+ encrypt = false
+ allow_fallback = true
+ }
+
+ rsh = {
+ allow_fallback = true
+ }
+
+ rlogin = {
+ allow_fallback = false
+ }
+
+
+ login = {
+ forwardable = true
+ krb5_run_aklog = false
+ krb5_get_tickets = true
+ krb4_get_tickets = false
+ krb4_convert = false
+ }
+
+ kinit = {
+ forwardable = true
+ krb5_run_aklog = false
+ }
+
+ kadmin = {
+ forwardable = false
+ }
+
+ rshd = {
+ krb5_run_aklog = false
+ }
+
+ ftpd = {
+ krb5_run_aklog = false
+ default_lifetime = 10h
+ }
+
+ pam = {
+ debug = false
+ forwardable = true
+ renew_lifetime = 7d
+ ticket_lifetime = 1560m
+ krb4_convert = true
+ afs_cells = fnal.gov
+ krb5_run_aklog = false
+ }\n"
+
+let appdef_tree =
+ { "appdefaults"
+ { "default_lifetime" = "7d" }
+ { "retain_ccache" = "false" }
+ { "autologin" = "true" }
+ { "forward" = "true" }
+ { "forwardable" = "true" }
+ { "renewable" = "true" }
+ { "encrypt" = "true" }
+ { "krb5_aklog_path" = "/usr/bin/aklog" }
+ { }
+ { "application" = "telnet" }
+ { }
+ { "application" = "rcp"
+ { "forward" = "true" }
+ { "encrypt" = "false" }
+ { "allow_fallback" = "true" }
+ }
+ { }
+ { "application" = "rsh"
+ { "allow_fallback" = "true" }
+ }
+ { }
+ { "application" = "rlogin"
+ { "allow_fallback" = "false" }
+ }
+ { }
+ { }
+ { "application" = "login"
+ { "forwardable" = "true" }
+ { "krb5_run_aklog" = "false" }
+ { "krb5_get_tickets" = "true" }
+ { "krb4_get_tickets" = "false" }
+ { "krb4_convert" = "false" }
+ }
+ { }
+ { "application" = "kinit"
+ { "forwardable" = "true" }
+ { "krb5_run_aklog" = "false" }
+ }
+ { }
+ { "application" = "kadmin"
+ { "forwardable" = "false" }
+ }
+ { }
+ { "application" = "rshd"
+ { "krb5_run_aklog" = "false" }
+ }
+ { }
+ { "application" = "ftpd"
+ { "krb5_run_aklog" = "false" }
+ { "default_lifetime" = "10h" }
+ }
+ { }
+ { "application" = "pam"
+ { "debug" = "false" }
+ { "forwardable" = "true" }
+ { "renew_lifetime" = "7d" }
+ { "ticket_lifetime" = "1560m" }
+ { "krb4_convert" = "true" }
+ { "afs_cells" = "fnal.gov" }
+ { "krb5_run_aklog" = "false" }
+ }
+ }
+
+
+test Krb5.appdefaults get appdef = appdef_tree
+test Krb5.lns get appdef = appdef_tree
+
+
+(* Test realms section *)
+let realms_str = "[realms]
+ ATHENA.MIT.EDU = {
+ admin_server = KERBEROS.MIT.EDU
+ default_domain = MIT.EDU
+ database_module = ldapconf
+ v4_instance_convert = {
+ mit = mit.edu
+ lithium = lithium.lcs.mit.edu
+ }
+ v4_realm = LCS.MIT.EDU
+ }\n"
+
+test Krb5.lns get realms_str =
+ { "realms"
+ { "realm" = "ATHENA.MIT.EDU"
+ { "admin_server" = "KERBEROS.MIT.EDU" }
+ { "default_domain" = "MIT.EDU" }
+ { "database_module" = "ldapconf" }
+ { "v4_instance_convert"
+ { "mit" = "mit.edu" }
+ { "lithium" = "lithium.lcs.mit.edu" } }
+ { "v4_realm" = "LCS.MIT.EDU" } } }
+
+(* Test dpmain_realm section *)
+let domain_realm_str = "[domain_realm]
+ .mit.edu = ATHENA.MIT.EDU
+ mit.edu = ATHENA.MIT.EDU
+ dodo.mit.edu = SMS_TEST.MIT.EDU
+ .ucsc.edu = CATS.UCSC.EDU\n"
+
+test Krb5.lns get domain_realm_str =
+ { "domain_realm"
+ { ".mit.edu" = "ATHENA.MIT.EDU" }
+ { "mit.edu" = "ATHENA.MIT.EDU" }
+ { "dodo.mit.edu" = "SMS_TEST.MIT.EDU" }
+ { ".ucsc.edu" = "CATS.UCSC.EDU" } }
+
+(* Test logging section *)
+let logging_str = "[logging]
+ kdc = CONSOLE
+ kdc = SYSLOG:INFO:DAEMON
+ admin_server = FILE:/var/adm/kadmin.log
+ admin_server = DEVICE=/dev/tty04\n"
+
+test Krb5.lns get logging_str =
+ { "logging"
+ { "kdc"
+ { "console" } }
+ { "kdc"
+ { "syslog"
+ { "severity" = "INFO" }
+ { "facility" = "DAEMON" } } }
+ { "admin_server"
+ { "file" = "/var/adm/kadmin.log" } }
+ { "admin_server"
+ { "device" = "/dev/tty04" } } }
+
+(* Test capaths section *)
+let capaths_str = "[capaths]
+ ANL.GOV = {
+ TEST.ANL.GOV = .
+ PNL.GOV = ES.NET
+ NERSC.GOV = ES.NET
+ ES.NET = .
+ }
+ TEST.ANL.GOV = {
+ ANL.GOV = .
+ }
+ PNL.GOV = {
+ ANL.GOV = ES.NET
+ }
+ NERSC.GOV = {
+ ANL.GOV = ES.NET
+ }
+ ES.NET = {
+ ANL.GOV = .
+ }\n"
+
+test Krb5.lns get capaths_str =
+ { "capaths"
+ { "ANL.GOV"
+ { "TEST.ANL.GOV" = "." }
+ { "PNL.GOV" = "ES.NET" }
+ { "NERSC.GOV" = "ES.NET" }
+ { "ES.NET" = "." } }
+ { "TEST.ANL.GOV"
+ { "ANL.GOV" = "." } }
+ { "PNL.GOV"
+ { "ANL.GOV" = "ES.NET" } }
+ { "NERSC.GOV"
+ { "ANL.GOV" = "ES.NET" } }
+ { "ES.NET"
+ { "ANL.GOV" = "." } } }
+
+(* Test instancemapping *)
+
+test Krb5.instance_mapping get "[instancemapping]
+ afs = {
+ cron/* = \"\"
+ cms/* = \"\"
+ afs/* = \"\"
+ e898/* = \"\"
+ }\n" =
+ { "instancemapping"
+ { "afs"
+ { "mapping" = "cron/*"
+ { "value" = "" } }
+ { "mapping" = "cms/*"
+ { "value" = "" } }
+ { "mapping" = "afs/*"
+ { "value" = "" } }
+ { "mapping" = "e898/*"
+ { "value" = "" } } } }
--
1.6.0.6
More information about the augeas-devel
mailing list