On 02/08/2012 05:03 AM, Raphaël Pinson wrote:
2012/2/8 Raphaël Pinson<[email protected]>:
Hello,
On Tue, Feb 7, 2012 at 11:12 PM, Pat Riehecky<[email protected]> wrote:
The krb5.aug lense is unable to parse my site's krb5.conf (publicly
available at http://security.fnal.gov/krb5.conf)
From looking at it, here are the stanzas that are not recognized:
line 90:
default_tgs_enctypes = des-cbc-crc des3-cbc-sha1
default_tkt_enctypes = des-cbc-crc des3-cbc-sha1
line 190:
v4_name_convert = {
host = {
rcmd = host
}
}
line 203:
ticket_lifetime = 30h
Hint: you can use augcheck [0] to spot these errors easily.
I've almost gotten it to be able to read the v4_name_convert section (line
194) but just can't seem to get it right.
My patch below gets me almost there, but I'm stuck for what to do to fixup
the last little bit. I can get
CERN.CH = {
kdc = cerndc.cern.ch:88
master_kdc = cerndc.cern.ch:88
default_domain = cern.ch
kpasswd_server = afskrb5m.cern.ch
admin_server = afskrb5m.cern.ch
v4_name_convert = {
host = rcmd
}
}
to work with this patch but not
CERN.CH = {
kdc = cerndc.cern.ch:88
master_kdc = cerndc.cern.ch:88
default_domain = cern.ch
kpasswd_server = afskrb5m.cern.ch
admin_server = afskrb5m.cern.ch
v4_name_convert = {
host = {
rcmd = host
}
}
}
My various attempts all end up breaking v4_instance_convert.
I tried the suggestion offered some ways back of making the v4_name_convert
section more top level, but the entry in libdefaults is a true/false while
the one in a realm is much more tree like. It seemed that would make
matters worse.
May I request a little help?
--- lenses/krb5.aug.orig 2012-02-07 14:00:13.349952582 -0600
+++ lenses/krb5.aug 2012-02-07 16:02:03.465813208 -0600
@@ -24,7 +24,7 @@ let realm_re = /[A-Z][.a-zA-Z0-9-]*/
let app_re = /[a-z][a-zA-Z0-9_]*/
let name_re = /[.a-zA-Z0-9_-]+/
-let value = store /[^;# \t\n{}]+/
+let value = store /[^;# \t\n{}]|[^;# \t\n{}][^#\n]*[^;# \t\n{}]/
OK. I guess this is meant to parse "des-cbc-crc des3-cbc-sha1". Maybe
it would be nicer to represent this as a list?
let entry (kw:regexp) (sep:lens) (comment:lens)
= [ indent . key kw . sep . value . (comment|eol) ] | comment
@@ -61,8 +61,8 @@ let appdefaults =
let realms =
let simple_option = /kdc|admin_server|database_module|default_domain/
|/v4_realm|auth_to_local(_names)?|master_kdc|kpasswd_server/
- |/admin_server/ in
- let subsec_option = /v4_instance_convert/ in
+ |/admin_server|ticket_lifetime/ in
+ let subsec_option = /v4_instance_convert|v4_name_convert/ in
let option = entry simple_option eq comment in
let subsec = [ indent . key subsec_option . eq_openbr .
(entry name_re eq comment)* . closebr . eol ] in
You're allowing to create a subsection called "v4_name_convert" inside
realms sections, but not to create a sub-subsection called "host"
inside this "v4_name_convert", hence your issue.
That might eventually become quite complex. I'll see if this can be
simplified using the new Build.block* constructs.
Actually, I see that libdefaults already supports "v4_name_convert"
constructs, so the easiest might well be to take it out of
libdefaults, put it in the general scope, and call it in realms. So,
something like this fixes your problem:
--- a/lenses/krb5.aug
+++ b/lenses/krb5.aug
@@ -37,13 +37,14 @@ let record (t:string) (e:lens) =
let title = Inifile.indented_title t in
Inifile.record title e
+let v4_name_convert (subsec:lens) = [ indent . key "v4_name_convert"
. eq_openbr .
+ subsec* . closebr . eol ]
+
let libdefaults =
let option = entry (name_re - "v4_name_convert") eq comment in
let subsec = [ indent . key /host|plain/ . eq_openbr .
(entry name_re eq comment)* . closebr . eol ] in
- let v4_name_convert = [ indent . key "v4_name_convert" . eq_openbr .
- subsec* . closebr . eol ] in
- record "libdefaults" (option|v4_name_convert)
+ record "libdefaults" (option|(v4_name_convert subsec))
let login =
let keys = /krb[45]_get_tickets|krb4_convert|krb_run_aklog/
@@ -67,7 +68,7 @@ let realms =
let subsec = [ indent . key subsec_option . eq_openbr .
(entry name_re eq comment)* . closebr . eol ] in
let realm = [ indent . label "realm" . store realm_re .
- eq_openbr . (option|subsec)* . closebr . eol ] in
+ eq_openbr . (option|subsec|(v4_name_convert
subsec))* . closebr . eol ] in
record "realms" (realm|comment)
let domain_realm =
Raphaël
(Apologies for the return of this old thread, but the history seemed to
help provide context)
I've almost got this working the way I think it should and reading my
site's krb5.conf. The only remaining issue I'm running into is with
'default_tgs_enctypes'. I'd love to get it into a sequence, but I can't
seem to figure out how. The attached patch gets me really close, where
I've got a sequence called 'type' under default_tgs_enctypes, but the
extra part of the tree seems to be extra rather than useful, plus it
seems to make setting those things a bit messy when it wasn't before -
Was /files/etc/krb5.conf/libdefaults/default_tgs_enctypes = 'thing' my
changes make
/files/etc/krb5.conf/libdefaults/default_tgs_enctypes/type[x] = 'thing'
which is not right.....
If I may ask three questions:
So what can I do to get the sequence to populate when there are multiple
items, but not when there are not?
And how do I use the regex match for the sequence name?
Is my attempt at a fix even on the right track?
(my site's krb5.conf publicly available at
http://security.fnal.gov/krb5.conf for examining the behavior I
mentioned in /files/etc/krb5.conf/libdefaults/default_tgs_enctypes/ )
--
Pat Riehecky
Scientific Linux Developer
--- krb5.aug.upstream 2012-04-19 14:17:55.549951026 -0500
+++ krb5.aug 2012-04-19 16:37:35.660015057 -0500
@@ -8,6 +8,7 @@ let eol = Inifile.eol
let dels = Util.del_str
let indent = del /[ \t]*/ ""
+let valsep = del /[ \t,]*/ ""
let eq = del /[ \t]*=[ \t]*/ " = "
let eq_openbr = del /[ \t]*=[ \t\n]*\{([ \t]*\n)*/ " = {"
let closebr = del /[ \t]*\}/ "}"
@@ -37,13 +38,19 @@ let record (t:string) (e:lens) =
let title = Inifile.indented_title t in
Inifile.record title e
+let v4_name_convert (subsec:lens) = [ indent . key "v4_name_convert" .
+ eq_openbr . subsec* . closebr . eol ]
+
+let enctype_keys = /permitted_enctypes|default_tgs_enctypes|default_tkt_enctypes/
+let enctype_re = /[a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+/
+let enctype_list (kw:regexp) (sep:lens) = [ indent . key kw .
+ sep . [ label "type" . store enctype_re . valsep ]* . (comment|eol) ]
+
let libdefaults =
- let option = entry (name_re - "v4_name_convert") eq comment in
+ let option = entry (name_re - "v4_name_convert" - enctype_keys) eq comment in
let subsec = [ indent . key /host|plain/ . eq_openbr .
(entry name_re eq comment)* . closebr . eol ] in
- let v4_name_convert = [ indent . key "v4_name_convert" . eq_openbr .
- subsec* . closebr . eol ] in
- record "libdefaults" (option|v4_name_convert)
+ record "libdefaults" (option|(enctype_list enctype_keys eq)|(v4_name_convert subsec))
let login =
let keys = /krb[45]_get_tickets|krb4_convert|krb_run_aklog/
@@ -61,13 +68,15 @@ let appdefaults =
let realms =
let simple_option = /kdc|admin_server|database_module|default_domain/
|/v4_realm|auth_to_local(_names)?|master_kdc|kpasswd_server/
- |/admin_server/ in
+ |/admin_server|ticket_lifetime/ in
let subsec_option = /v4_instance_convert/ in
let option = entry simple_option eq comment in
let subsec = [ indent . key subsec_option . eq_openbr .
(entry name_re eq comment)* . closebr . eol ] in
+ let v4subsec = [ indent . key /host|plain/ . eq_openbr .
+ (entry name_re eq comment)* . closebr . eol ] in
let realm = [ indent . label "realm" . store realm_re .
- eq_openbr . (option|subsec)* . closebr . eol ] in
+ eq_openbr . (option|subsec|(v4_name_convert v4subsec))* . closebr . eol ] in
record "realms" (realm|comment)
let domain_realm =
_______________________________________________
augeas-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/augeas-devel
