[augeas-devel] krb5.conf file update not working unless line already exists. What am I doing wrong?

Mon Feb 22 20:21:12 UTC 2021

In summary,  here's a simple augtool file:

set /augeas/load/Krb5/incl "/etc/krb5.conf"
set /augeas/load/Krb5/lens "Krb5.lns"
load
defnode libdefaults /files/etc/krb5.conf/libdefaults
set $libdefaults/default_tgs_enctypes[1] 'arcfour-hmac-md5'
set $libdefaults/default_tgs_enctypes[2] 'aes128-cts-hmac-sha1-96'
set $libdefaults/default_tgs_enctypes[3] 'aes256-cts-hmac-sha1-96'
set $libdefaults/default_tkt_enctypes[1] 'arcfour-hmac-md5'
set $libdefaults/default_tkt_enctypes[2] 'aes128-cts-hmac-sha1-96'
set $libdefaults/default_tkt_enctypes[3] 'aes256-cts-hmac-sha1-96'
save
print /augeas//error

Here's a simple /etc/krb5.conf file:

[libdefaults]
 default_realm = AMER.DELL.COM
 ticket_lifetime = 36000
 forwardable = true

[domain_realm]
 auspslpltinf1.us.dell.com = AMER.DELL.COM

Here's the augtool invocation:

augtool --noautoload -f krb5.aug

Here's the error:

[root at auspslpltinf1 tmp]# augtool --noautoload -f krb5.aug
error: Failed to execute command
saving failed (run 'print /augeas//error' for details)
/augeas/files/etc/krb5.conf/error = "put_failed"
/augeas/files/etc/krb5.conf/error/path = "/files/etc/krb5.conf/libdefaults"
/augeas/files/etc/krb5.conf/error/lens =
"/usr/share/augeas/lenses/dist/inifile.aug:353.27-354.17:"
/augeas/files/etc/krb5.conf/error/message = "Failed to match \n    ({
/[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc][Tt][Yy][Pp][Ee](([Ss][.0-9A-Z_a-z-]|[.0-9A-RT-Z_a-rt-z-])[.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc][Tt][Yy][Pp]([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc][Tt][Yy]([.0-9A-OQ-Z_a-oq-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc][Tt]([.0-9A-XZ_a-xz-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn]([.0-9ABD-Z_abd-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee]([.0-9A-MO-Z_a-mo-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]([.0-9A-Za-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc][Tt][Yy][Pp][Ee](([Ss][.0-9A-Z_a-z-]|[.0-9A-RT-Z_a-rt-z-])[.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc][Tt][Yy][Pp]([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc][Tt][Yy]([.0-9A-OQ-Z_a-oq-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc][Tt]([.0-9A-XZ_a-xz-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn]([.0-9ABD-Z_abd-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee]([.0-9A-MO-Z_a-mo-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]([.0-9A-Za-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg]([.0-9A-RT-Z_a-rt-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt]([.0-9A-FH-JL-Z_a-fh-jl-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]([.0-9A-Za-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu]([.0-9A-KM-Z_a-km-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa]([.0-9A-TV-Z_a-tv-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff]([.0-9B-Z_b-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee]([.0-9A-EG-Z_a-eg-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc][Tt][Yy][Pp][Ee](([Ss][.0-9A-Z_a-z-]|[.0-9A-RT-Z_a-rt-z-])[.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc][Tt][Yy][Pp]([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc][Tt][Yy]([.0-9A-OQ-Z_a-oq-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc][Tt]([.0-9A-XZ_a-xz-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn]([.0-9ABD-Z_abd-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee]([.0-9A-MO-Z_a-mo-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]([.0-9A-Za-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee]([.0-9A-CE-Z_a-ce-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt]([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm]([.0-9A-HJ-Z_a-hj-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr]([.0-9A-LN-Z_a-ln-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee]([.0-9A-QS-Z_a-qs-z-][.0-9A-Z_a-z-]*|)|([Pp][.0-9A-DF-Z_a-df-z-]|[Dd][.0-9A-DF-Z_a-df-z-]|[.0-9A-CE-OQ-Z_a-ce-oq-uw-z-][.0-9A-Z_a-z-])([.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|)|(v4_name_convert[.0-9A-Z_a-z-][.0-9A-Z_a-z-]|v4_name_conver[.0-9A-Z_a-su-z-][.0-9A-Z_a-z-])[.0-9A-Z_a-z-]*|v4_name_convert[.0-9A-Z_a-z-]|v4_name_conver[.0-9A-Z_a-su-z-]|v4_name_conver|v4_name_conve[.0-9A-Z_a-qs-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_conve[.0-9A-Z_a-qs-z-]|v4_name_conve|v4_na[.0-9A-Z_a-ln-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_na[.0-9A-Z_a-ln-z-]|v4_na|v[.0-35-9A-Z_a-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v[.0-35-9A-Z_a-z-]|v4[.0-9A-Za-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4[.0-9A-Za-z-]|v4|v4_n[.0-9A-Z_b-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_n[.0-9A-Z_b-z-]|v4_n|v4_[.0-9A-Z_a-mo-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_[.0-9A-Z_a-mo-z-]|v4_|v4_nam[.0-9A-Z_a-df-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_nam[.0-9A-Z_a-df-z-]|v4_nam|v4_name_conv[.0-9A-Z_a-df-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_conv[.0-9A-Z_a-df-z-]|v4_name_conv|v4_name_con[.0-9A-Z_a-uw-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_con[.0-9A-Z_a-uw-z-]|v4_name_con|v4_name_co[.0-9A-Z_a-mo-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_co[.0-9A-Z_a-mo-z-]|v4_name_co|v4_name_c[.0-9A-Z_a-np-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_c[.0-9A-Z_a-np-z-]|v4_name_c|v4_name_[.0-9A-Z_abd-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_[.0-9A-Z_abd-z-]|v4_name_|v4_name[.0-9A-Za-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name[.0-9A-Za-z-]|v4_name|v|[Pp]|[Dd]|[.0-9A-CE-OQ-Z_a-ce-oq-uw-z-]/
= /[^\\001-\\004\\t\\n #;]+/ } | { /#comment/ = /(([^\\001-\\004\\t\\n
][^\\001-\\004\\n]*[^\\001-\\004\\t\\n ]|[^\\001-\\004\\t\\n ]))?/ } | {
/permitted_enctypes/ = /[0-9A-Za-z-]{3,}/ }({ /permitted_enctypes/ =
/[0-9A-Za-z-]{3,}/ })*({ /#comment/ = /(([^\\001-\\004\\t\\n
][^\\001-\\004\\n]*[^\\001-\\004\\t\\n ]|[^\\001-\\004\\t\\n ]))?/ } | ()){
/#eol/ } | { /default_tgs_enctypes/ = /[0-9A-Za-z-]{3,}/ }({
/default_tgs_enctypes/ = /[0-9A-Za-z-]{3,}/ })*({ /#comment/ =
/(([^\\001-\\004\\t\\n ][^\\001-\\004\\n]*[^\\001-\\004\\t\\n
]|[^\\001-\\004\\t\\n ]))?/ } | ()){ /#eol/ } | { /default_tkt_enctypes/ =
/[0-9A-Za-z-]{3,}/ }({ /default_tkt_enctypes/ = /[0-9A-Za-z-]{3,}/ })*({
/#comment/ = /(([^\\001-\\004\\t\\n ][^\\001-\\004\\n]*[^\\001-\\004\\t\\n
]|[^\\001-\\004\\t\\n ]))?/ } | ()){ /#eol/ } | { /v4_name_convert/ } | {
})*\n  with tree\n    { \"default_realm\" = \"AMER.DELL.COM\" } {
\"ticket_lifetime\" = \"36000\" } { \"forwardable\" = \"true\" } {  } {
\"default_tgs_enctypes\" = \"arcfour-hmac-md5\" } {
\"default_tgs_enctypes\" = \"aes128-cts-hmac-sha1-96\" } {
\"default_tgs_enctypes\" = \"aes256-cts-hmac-sha1-96\" } {
\"default_tkt_enctypes\" = \"arcfour-hmac-md5\" } {
\"default_tkt_enctypes\" = \"aes128-cts-hmac-sha1-96\" } {
\"default_tkt_enctypes\" = \"aes256-cts-hmac-sha1-96\" }"

If I manually fix up the /etc/krb5.conf file:

[libdefaults]
  default_tgs_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
  default_tkt_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
 default_realm = AMER.DELL.COM
 ticket_lifetime = 36000
 forwardable = true

[domain_realm]
 auspslpltinf1.us.dell.com = AMER.DELL.COM

the augtool invocation works fine.

Spike

On Thu, Feb 18, 2021 at 12:46 PM Spike White <spikewhitetx at gmail.com> wrote:

> augeas experts,
>
> I am trying to update my /etc/krb5.conf.  I'm testing (for now) with a
> /tmp/krb5.conf file on RHEL7.
>
> I have to have it not autoload all files, as there's some syntax in some
> other files augeas doesn't understand.
>
> Here is my old krb5.aug file (which works).
>
> set /augeas/load/Krb5/incl "/tmp/krb5.conf"
> set /augeas/load/Krb5/lens "Krb5.lns"
> load
> defnode realms_AMER_DELL_COM /files/tmp/krb5.conf/realms/realm[. = '
> AMER.DELL.COM' ]
> defnode libdefaults /files/tmp/krb5.conf/libdefaults
> set $realms_AMER_DELL_COM AMER.DELL.COM
> set $realms_AMER_DELL_COM/#comment LANDMARK
> set $realms_AMER_DELL_COM/auth_to_local[1] 'RULE:[1:$1]'
> set $realms_AMER_DELL_COM/auth_to_local[2] 'DEFAULT'
> set $libdefaults/default_realm AMER.DELL.COM
> set $libdefaults/dns_lookup_kdc true
> set /files/etc/krb5.conf/libdefaults/rdns false
> set /files/etc/krb5.conf/domain_realm/.isus.emc.com AMER.DELL.COM
> save
>
> I run it thusly:  augtool --noautoload -f krb5.aug
>
> # Configuration snippets may be placed in this directory as well
> includedir /etc/krb5.conf.d/
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = AMER.DELL.COM
>  dns_lookup_kdc = true
>  default_etypes_des = des-cbc-crc
>  default_tgs_enctypes = arcfour-hmac-md5
>  default_tkt_enctypes = arcfour-hmac-md5
>
> [realms]
> AMER.DELL.COM = {
>    #LANDMARK
> auth_to_local = RULE:[1:$1]
> auth_to_local = DEFAULT
> }
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
> .isus.emc.com = AMER.DELL.COM
>
> Here's my problem.  I want to restrict my /default_tgs_enctypes
> and default_tkt_enctypes to only the strong-ish encryption types (I know
> the arcfour-hmac-md5 is not terribly strong today).
>
> so if i change my krb5.aug file to this:
>
> set /augeas/load/Krb5/incl "/tmp/krb5.conf"
> set /augeas/load/Krb5/lens "Krb5.lns"
> load
> defnode realms_AMER_DELL_COM /files/tmp/krb5.conf/realms/realm[. = '
> AMER.DELL.COM' ]
> defnode libdefaults /files/tmp/krb5.conf/libdefaults
> set $realms_AMER_DELL_COM AMER.DELL.COM
> set $realms_AMER_DELL_COM/#comment LANDMARK
> set $realms_AMER_DELL_COM/auth_to_local[1] 'RULE:[1:$1]'
> set $realms_AMER_DELL_COM/auth_to_local[2] 'DEFAULT'
> set $libdefaults/default_realm AMER.DELL.COM
> set $libdefaults/dns_lookup_kdc true
> set $libdefaults/default_tgs_enctypes[1] 'arcfour-hmac-md5'
> set $libdefaults/default_tgs_enctypes[2] 'aes128-cts-hmac-sha1-96'
> set $libdefaults/default_tgs_enctypes[3] 'aes256-cts-hmac-sha1-96'
> set $libdefaults/default_tkt_enctypes[1] 'arcfour-hmac-md5'
> set $libdefaults/default_tkt_enctypes[2] 'aes128-cts-hmac-sha1-96'
> set $libdefaults/default_tkt_enctypes[3] 'aes256-cts-hmac-sha1-96'
> set /files/etc/krb5.conf/libdefaults/rdns false
> set /files/etc/krb5.conf/domain_realm/.isus.emc.com AMER.DELL.COM
> save
>
> It fails.  The only extra lines are the  $libdefaults/default_tgs_enctypes
> and the  $libdefaults/default_tkt_enctypes set lines.
>
> However, if I change my /tmp/krb5.conf file so that 3 default_tgs_enctypes
> and 3 default_tkt_enctypes already exist, it succeeds.
>
> Example before:
> ...
> [libdefaults]
>  ...
>  default_tgs_enctypes = des-cbc-crc des-cbc-crc des-cbc-crc
>  default_tkt_enctypes = des-cbc-crc des-cbc-crc des-cbc-crc
>
> then run augtool --noautoload -f /tmp/krb5.aug
>
> After:
> [libdefaults]
> ...
>  default_tgs_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96
>  default_tkt_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96
>
> I thought "set" operator was supposed to create a node entry if it didn't
> already exist.
>
> Why does it fail to modify these entries, unless the lines already exist,
> with 3 entries already?
>
> Spike
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/augeas-devel/attachments/20210222/17bf594a/attachment.htm>