[augeas-devel] adjustment to the krb5.aug lense

Pat Riehecky riehecky at fnal.gov
Thu Apr 19 21:47:40 UTC 2012 

On 02/08/2012 05:03 AM, Raphaël Pinson wrote:
> 2012/2/8 Raphaël Pinson<raphink at gmail.com>:
>> Hello,
>>
>>
>> On Tue, Feb 7, 2012 at 11:12 PM, Pat Riehecky<riehecky at fnal.gov>  wrote:
>>> The krb5.aug lense is unable to parse my site's krb5.conf (publicly
>>> available at http://security.fnal.gov/krb5.conf)
>>
>>  From looking at it, here are the stanzas that are not recognized:
>>
>> line 90:
>> default_tgs_enctypes = des-cbc-crc des3-cbc-sha1
>> default_tkt_enctypes = des-cbc-crc des3-cbc-sha1
>>
>> line 190:
>> v4_name_convert = {
>>    host = {
>>       rcmd = host
>>    }
>> }
>>
>> line 203:
>> ticket_lifetime = 30h
>>
>>
>> Hint: you can use augcheck [0] to spot these errors easily.
>>
>>
>>> I've almost gotten it to be able to read the v4_name_convert section (line
>>> 194) but just can't seem to get it right.
>>>
>>> My patch below gets me almost there, but I'm stuck for what to do to fixup
>>> the last little bit.  I can get
>>>
>>> CERN.CH = {
>>>      kdc = cerndc.cern.ch:88
>>>      master_kdc = cerndc.cern.ch:88
>>>      default_domain = cern.ch
>>>      kpasswd_server = afskrb5m.cern.ch
>>>      admin_server = afskrb5m.cern.ch
>>>      v4_name_convert = {
>>>            host = rcmd
>>>           }
>>> }
>>>
>>> to work with this patch but not
>>>
>>> CERN.CH = {
>>>      kdc = cerndc.cern.ch:88
>>>      master_kdc = cerndc.cern.ch:88
>>>      default_domain = cern.ch
>>>      kpasswd_server = afskrb5m.cern.ch
>>>      admin_server = afskrb5m.cern.ch
>>>      v4_name_convert = {
>>>            host = {
>>>                   rcmd = host
>>>                   }
>>>           }
>>> }
>>>
>>> My various attempts all end up breaking v4_instance_convert.
>>>
>>> I tried the suggestion offered some ways back of making the v4_name_convert
>>> section more top level, but the entry in libdefaults is a true/false while
>>> the one in a realm is much more tree like.  It seemed that would make
>>> matters worse.
>>>
>>> May I request a little help?
>>>
>>> --- lenses/krb5.aug.orig    2012-02-07 14:00:13.349952582 -0600
>>> +++ lenses/krb5.aug    2012-02-07 16:02:03.465813208 -0600
>>> @@ -24,7 +24,7 @@ let realm_re = /[A-Z][.a-zA-Z0-9-]*/
>>>   let app_re = /[a-z][a-zA-Z0-9_]*/
>>>   let name_re = /[.a-zA-Z0-9_-]+/
>>>
>>> -let value = store /[^;# \t\n{}]+/
>>> +let value = store /[^;# \t\n{}]|[^;# \t\n{}][^#\n]*[^;# \t\n{}]/
>> OK. I guess this is meant to parse "des-cbc-crc des3-cbc-sha1". Maybe
>> it would be nicer to represent this as a list?
>>
>>
>>>   let entry (kw:regexp) (sep:lens) (comment:lens)
>>>      = [ indent . key kw . sep . value . (comment|eol) ] | comment
>>>
>>> @@ -61,8 +61,8 @@ let appdefaults =
>>>   let realms =
>>>    let simple_option = /kdc|admin_server|database_module|default_domain/
>>>        |/v4_realm|auth_to_local(_names)?|master_kdc|kpasswd_server/
>>> -      |/admin_server/ in
>>> -  let subsec_option = /v4_instance_convert/ in
>>> +      |/admin_server|ticket_lifetime/ in
>>> +  let subsec_option = /v4_instance_convert|v4_name_convert/ in
>>>    let option = entry simple_option eq comment in
>>>    let subsec = [ indent . key subsec_option . eq_openbr .
>>>                     (entry name_re eq comment)* . closebr . eol ] in
>>>
>>
>> You're allowing to create a subsection called "v4_name_convert" inside
>> realms sections, but not to create a sub-subsection called "host"
>> inside this "v4_name_convert", hence your issue.
>>
>> That might eventually become quite complex. I'll see if this can be
>> simplified using the new Build.block* constructs.
>>
>>
>
> Actually, I see that libdefaults already supports "v4_name_convert"
> constructs, so the easiest might well be to take it out of
> libdefaults, put it in the general scope, and call it in realms. So,
> something like this fixes your problem:
>
> --- a/lenses/krb5.aug
> +++ b/lenses/krb5.aug
> @@ -37,13 +37,14 @@ let record (t:string) (e:lens) =
>     let title = Inifile.indented_title t in
>       Inifile.record title e
>
> +let v4_name_convert (subsec:lens) = [ indent . key "v4_name_convert"
> . eq_openbr .
> +                        subsec* . closebr . eol ]
> +
>   let libdefaults =
>     let option = entry (name_re - "v4_name_convert") eq comment in
>     let subsec = [ indent . key /host|plain/ . eq_openbr .
>                      (entry name_re eq comment)* . closebr . eol ] in
> -  let v4_name_convert = [ indent . key "v4_name_convert" . eq_openbr .
> -                          subsec* . closebr . eol ] in
> -  record "libdefaults" (option|v4_name_convert)
> +  record "libdefaults" (option|(v4_name_convert subsec))
>
>   let login =
>     let keys = /krb[45]_get_tickets|krb4_convert|krb_run_aklog/
> @@ -67,7 +68,7 @@ let realms =
>     let subsec = [ indent . key subsec_option . eq_openbr .
>                      (entry name_re eq comment)* . closebr . eol ] in
>     let realm = [ indent . label "realm" . store realm_re .
> -                  eq_openbr . (option|subsec)* . closebr . eol ] in
> +                  eq_openbr . (option|subsec|(v4_name_convert
> subsec))* . closebr . eol ] in
>       record "realms" (realm|comment)
>
>   let domain_realm =
>
>
>
> Raphaël

(Apologies for the return of this old thread, but the history seemed to 
help provide context)

I've almost got this working the way I think it should and reading my 
site's krb5.conf.  The only remaining issue I'm running into is with 
'default_tgs_enctypes'.  I'd love to get it into a sequence, but I can't 
seem to figure out how.  The attached patch gets me really close, where 
I've got a sequence called 'type' under default_tgs_enctypes, but the 
extra part of the tree seems to be extra rather than useful, plus it 
seems to make setting those things a bit messy when it wasn't before - 
Was /files/etc/krb5.conf/libdefaults/default_tgs_enctypes = 'thing' my 
changes make 
/files/etc/krb5.conf/libdefaults/default_tgs_enctypes/type[x] = 'thing' 
which is not right.....

If I may ask three questions:

So what can I do to get the sequence to populate when there are multiple 
items, but not when there are not?
And how do I use the regex match for the sequence name?
Is my attempt at a fix even on the right track?


(my site's krb5.conf publicly available at 
http://security.fnal.gov/krb5.conf for examining the behavior I 
mentioned in /files/etc/krb5.conf/libdefaults/default_tgs_enctypes/ )

-- 
Pat Riehecky
Scientific Linux Developer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5.aug.patch
Type: text/x-patch
Size: 2461 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/augeas-devel/attachments/20120419/a2dbdd8d/attachment.bin>

More information about the augeas-devel mailing list