[augeas-devel] krb5.conf file update not working unless line already exists. What am I doing wrong?
Spike White
spikewhitetx at gmail.com
Thu Feb 18 18:46:39 UTC 2021
augeas experts,
I am trying to update my /etc/krb5.conf. I'm testing (for now) with a
/tmp/krb5.conf file on RHEL7.
I have to have it not autoload all files, as there's some syntax in some
other files augeas doesn't understand.
Here is my old krb5.aug file (which works).
set /augeas/load/Krb5/incl "/tmp/krb5.conf"
set /augeas/load/Krb5/lens "Krb5.lns"
load
defnode realms_AMER_DELL_COM /files/tmp/krb5.conf/realms/realm[. = '
AMER.DELL.COM' ]
defnode libdefaults /files/tmp/krb5.conf/libdefaults
set $realms_AMER_DELL_COM AMER.DELL.COM
set $realms_AMER_DELL_COM/#comment LANDMARK
set $realms_AMER_DELL_COM/auth_to_local[1] 'RULE:[1:$1]'
set $realms_AMER_DELL_COM/auth_to_local[2] 'DEFAULT'
set $libdefaults/default_realm AMER.DELL.COM
set $libdefaults/dns_lookup_kdc true
set /files/etc/krb5.conf/libdefaults/rdns false
set /files/etc/krb5.conf/domain_realm/.isus.emc.com AMER.DELL.COM
save
I run it thusly: augtool --noautoload -f krb5.aug
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AMER.DELL.COM
dns_lookup_kdc = true
default_etypes_des = des-cbc-crc
default_tgs_enctypes = arcfour-hmac-md5
default_tkt_enctypes = arcfour-hmac-md5
[realms]
AMER.DELL.COM = {
#LANDMARK
auth_to_local = RULE:[1:$1]
auth_to_local = DEFAULT
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.isus.emc.com = AMER.DELL.COM
Here's my problem. I want to restrict my /default_tgs_enctypes
and default_tkt_enctypes to only the strong-ish encryption types (I know
the arcfour-hmac-md5 is not terribly strong today).
so if i change my krb5.aug file to this:
set /augeas/load/Krb5/incl "/tmp/krb5.conf"
set /augeas/load/Krb5/lens "Krb5.lns"
load
defnode realms_AMER_DELL_COM /files/tmp/krb5.conf/realms/realm[. = '
AMER.DELL.COM' ]
defnode libdefaults /files/tmp/krb5.conf/libdefaults
set $realms_AMER_DELL_COM AMER.DELL.COM
set $realms_AMER_DELL_COM/#comment LANDMARK
set $realms_AMER_DELL_COM/auth_to_local[1] 'RULE:[1:$1]'
set $realms_AMER_DELL_COM/auth_to_local[2] 'DEFAULT'
set $libdefaults/default_realm AMER.DELL.COM
set $libdefaults/dns_lookup_kdc true
set $libdefaults/default_tgs_enctypes[1] 'arcfour-hmac-md5'
set $libdefaults/default_tgs_enctypes[2] 'aes128-cts-hmac-sha1-96'
set $libdefaults/default_tgs_enctypes[3] 'aes256-cts-hmac-sha1-96'
set $libdefaults/default_tkt_enctypes[1] 'arcfour-hmac-md5'
set $libdefaults/default_tkt_enctypes[2] 'aes128-cts-hmac-sha1-96'
set $libdefaults/default_tkt_enctypes[3] 'aes256-cts-hmac-sha1-96'
set /files/etc/krb5.conf/libdefaults/rdns false
set /files/etc/krb5.conf/domain_realm/.isus.emc.com AMER.DELL.COM
save
It fails. The only extra lines are the $libdefaults/default_tgs_enctypes
and the $libdefaults/default_tkt_enctypes set lines.
However, if I change my /tmp/krb5.conf file so that 3 default_tgs_enctypes
and 3 default_tkt_enctypes already exist, it succeeds.
Example before:
...
[libdefaults]
...
default_tgs_enctypes = des-cbc-crc des-cbc-crc des-cbc-crc
default_tkt_enctypes = des-cbc-crc des-cbc-crc des-cbc-crc
then run augtool --noautoload -f /tmp/krb5.aug
After:
[libdefaults]
...
default_tgs_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
default_tkt_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
I thought "set" operator was supposed to create a node entry if it didn't
already exist.
Why does it fail to modify these entries, unless the lines already exist,
with 3 entries already?
Spike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/augeas-devel/attachments/20210218/570c9dc0/attachment.htm>
More information about the augeas-devel
mailing list