[augeas-devel] adjustment to the krb5.aug lense
Raphaël Pinson
raphink at gmail.com
Wed Feb 8 10:56:17 UTC 2012
Hello,
On Tue, Feb 7, 2012 at 11:12 PM, Pat Riehecky <riehecky at fnal.gov> wrote:
> The krb5.aug lense is unable to parse my site's krb5.conf (publicly
> available at http://security.fnal.gov/krb5.conf)
>From looking at it, here are the stanzas that are not recognized:
line 90:
default_tgs_enctypes = des-cbc-crc des3-cbc-sha1
default_tkt_enctypes = des-cbc-crc des3-cbc-sha1
line 190:
v4_name_convert = {
host = {
rcmd = host
}
}
line 203:
ticket_lifetime = 30h
Hint: you can use augcheck [0] to spot these errors easily.
> I've almost gotten it to be able to read the v4_name_convert section (line
> 194) but just can't seem to get it right.
>
> My patch below gets me almost there, but I'm stuck for what to do to fixup
> the last little bit. I can get
>
> CERN.CH = {
> kdc = cerndc.cern.ch:88
> master_kdc = cerndc.cern.ch:88
> default_domain = cern.ch
> kpasswd_server = afskrb5m.cern.ch
> admin_server = afskrb5m.cern.ch
> v4_name_convert = {
> host = rcmd
> }
> }
>
> to work with this patch but not
>
> CERN.CH = {
> kdc = cerndc.cern.ch:88
> master_kdc = cerndc.cern.ch:88
> default_domain = cern.ch
> kpasswd_server = afskrb5m.cern.ch
> admin_server = afskrb5m.cern.ch
> v4_name_convert = {
> host = {
> rcmd = host
> }
> }
> }
>
> My various attempts all end up breaking v4_instance_convert.
>
> I tried the suggestion offered some ways back of making the v4_name_convert
> section more top level, but the entry in libdefaults is a true/false while
> the one in a realm is much more tree like. It seemed that would make
> matters worse.
>
> May I request a little help?
>
> --- lenses/krb5.aug.orig 2012-02-07 14:00:13.349952582 -0600
> +++ lenses/krb5.aug 2012-02-07 16:02:03.465813208 -0600
> @@ -24,7 +24,7 @@ let realm_re = /[A-Z][.a-zA-Z0-9-]*/
> let app_re = /[a-z][a-zA-Z0-9_]*/
> let name_re = /[.a-zA-Z0-9_-]+/
>
> -let value = store /[^;# \t\n{}]+/
> +let value = store /[^;# \t\n{}]|[^;# \t\n{}][^#\n]*[^;# \t\n{}]/
OK. I guess this is meant to parse "des-cbc-crc des3-cbc-sha1". Maybe
it would be nicer to represent this as a list?
> let entry (kw:regexp) (sep:lens) (comment:lens)
> = [ indent . key kw . sep . value . (comment|eol) ] | comment
>
> @@ -61,8 +61,8 @@ let appdefaults =
> let realms =
> let simple_option = /kdc|admin_server|database_module|default_domain/
> |/v4_realm|auth_to_local(_names)?|master_kdc|kpasswd_server/
> - |/admin_server/ in
> - let subsec_option = /v4_instance_convert/ in
> + |/admin_server|ticket_lifetime/ in
> + let subsec_option = /v4_instance_convert|v4_name_convert/ in
> let option = entry simple_option eq comment in
> let subsec = [ indent . key subsec_option . eq_openbr .
> (entry name_re eq comment)* . closebr . eol ] in
>
You're allowing to create a subsection called "v4_name_convert" inside
realms sections, but not to create a sub-subsection called "host"
inside this "v4_name_convert", hence your issue.
That might eventually become quite complex. I'll see if this can be
simplified using the new Build.block* constructs.
Raphaël
[0] https://github.com/raphink/augeas-sandbox
More information about the augeas-devel
mailing list