[augeas-devel] adjustment to the krb5.aug lense

Raphaël Pinson raphink at gmail.com
Wed Feb 8 11:03:40 UTC 2012 

2012/2/8 Raphaël Pinson <raphink at gmail.com>:
> Hello,
>
>
> On Tue, Feb 7, 2012 at 11:12 PM, Pat Riehecky <riehecky at fnal.gov> wrote:
>> The krb5.aug lense is unable to parse my site's krb5.conf (publicly
>> available at http://security.fnal.gov/krb5.conf)
>
>
> From looking at it, here are the stanzas that are not recognized:
>
> line 90:
> default_tgs_enctypes = des-cbc-crc des3-cbc-sha1
> default_tkt_enctypes = des-cbc-crc des3-cbc-sha1
>
> line 190:
> v4_name_convert = {
>   host = {
>      rcmd = host
>   }
> }
>
> line 203:
> ticket_lifetime = 30h
>
>
> Hint: you can use augcheck [0] to spot these errors easily.
>
>
>> I've almost gotten it to be able to read the v4_name_convert section (line
>> 194) but just can't seem to get it right.
>>
>> My patch below gets me almost there, but I'm stuck for what to do to fixup
>> the last little bit.  I can get
>>
>> CERN.CH = {
>>     kdc = cerndc.cern.ch:88
>>     master_kdc = cerndc.cern.ch:88
>>     default_domain = cern.ch
>>     kpasswd_server = afskrb5m.cern.ch
>>     admin_server = afskrb5m.cern.ch
>>     v4_name_convert = {
>>           host = rcmd
>>          }
>> }
>>
>> to work with this patch but not
>>
>> CERN.CH = {
>>     kdc = cerndc.cern.ch:88
>>     master_kdc = cerndc.cern.ch:88
>>     default_domain = cern.ch
>>     kpasswd_server = afskrb5m.cern.ch
>>     admin_server = afskrb5m.cern.ch
>>     v4_name_convert = {
>>           host = {
>>                  rcmd = host
>>                  }
>>          }
>> }
>>
>> My various attempts all end up breaking v4_instance_convert.
>>
>> I tried the suggestion offered some ways back of making the v4_name_convert
>> section more top level, but the entry in libdefaults is a true/false while
>> the one in a realm is much more tree like.  It seemed that would make
>> matters worse.
>>
>> May I request a little help?
>>
>> --- lenses/krb5.aug.orig    2012-02-07 14:00:13.349952582 -0600
>> +++ lenses/krb5.aug    2012-02-07 16:02:03.465813208 -0600
>> @@ -24,7 +24,7 @@ let realm_re = /[A-Z][.a-zA-Z0-9-]*/
>>  let app_re = /[a-z][a-zA-Z0-9_]*/
>>  let name_re = /[.a-zA-Z0-9_-]+/
>>
>> -let value = store /[^;# \t\n{}]+/
>> +let value = store /[^;# \t\n{}]|[^;# \t\n{}][^#\n]*[^;# \t\n{}]/
>
> OK. I guess this is meant to parse "des-cbc-crc des3-cbc-sha1". Maybe
> it would be nicer to represent this as a list?
>
>
>>  let entry (kw:regexp) (sep:lens) (comment:lens)
>>     = [ indent . key kw . sep . value . (comment|eol) ] | comment
>>
>> @@ -61,8 +61,8 @@ let appdefaults =
>>  let realms =
>>   let simple_option = /kdc|admin_server|database_module|default_domain/
>>       |/v4_realm|auth_to_local(_names)?|master_kdc|kpasswd_server/
>> -      |/admin_server/ in
>> -  let subsec_option = /v4_instance_convert/ in
>> +      |/admin_server|ticket_lifetime/ in
>> +  let subsec_option = /v4_instance_convert|v4_name_convert/ in
>>   let option = entry simple_option eq comment in
>>   let subsec = [ indent . key subsec_option . eq_openbr .
>>                    (entry name_re eq comment)* . closebr . eol ] in
>>
>
>
> You're allowing to create a subsection called "v4_name_convert" inside
> realms sections, but not to create a sub-subsection called "host"
> inside this "v4_name_convert", hence your issue.
>
> That might eventually become quite complex. I'll see if this can be
> simplified using the new Build.block* constructs.
>
>


Actually, I see that libdefaults already supports "v4_name_convert"
constructs, so the easiest might well be to take it out of
libdefaults, put it in the general scope, and call it in realms. So,
something like this fixes your problem:

--- a/lenses/krb5.aug
+++ b/lenses/krb5.aug
@@ -37,13 +37,14 @@ let record (t:string) (e:lens) =
   let title = Inifile.indented_title t in
     Inifile.record title e

+let v4_name_convert (subsec:lens) = [ indent . key "v4_name_convert"
. eq_openbr .
+                        subsec* . closebr . eol ]
+
 let libdefaults =
   let option = entry (name_re - "v4_name_convert") eq comment in
   let subsec = [ indent . key /host|plain/ . eq_openbr .
                    (entry name_re eq comment)* . closebr . eol ] in
-  let v4_name_convert = [ indent . key "v4_name_convert" . eq_openbr .
-                          subsec* . closebr . eol ] in
-  record "libdefaults" (option|v4_name_convert)
+  record "libdefaults" (option|(v4_name_convert subsec))

 let login =
   let keys = /krb[45]_get_tickets|krb4_convert|krb_run_aklog/
@@ -67,7 +68,7 @@ let realms =
   let subsec = [ indent . key subsec_option . eq_openbr .
                    (entry name_re eq comment)* . closebr . eol ] in
   let realm = [ indent . label "realm" . store realm_re .
-                  eq_openbr . (option|subsec)* . closebr . eol ] in
+                  eq_openbr . (option|subsec|(v4_name_convert
subsec))* . closebr . eol ] in
     record "realms" (realm|comment)

 let domain_realm =



Raphaël

More information about the augeas-devel mailing list