This works. thanks. That seems totally random; #eol seems like a blank comment line. (But it's not).
Spike On Mon, Feb 22, 2021 at 5:11 PM George Hansper <[email protected]> wrote: > Hello Spike, > > The error message is telling us something has gone wrong, but it's not > very specific. > > It is helpful is to look at the output from the 'print' command from the > hand-editted file > > # augtool print /files/etc/krb5.conf > /files/etc/krb5.conf > /files/etc/krb5.conf/libdefaults > /files/etc/krb5.conf/libdefaults/default_tgs_enctypes[1] = > "arcfour-hmac-md5" > /files/etc/krb5.conf/libdefaults/default_tgs_enctypes[2] = > "aes128-cts-hmac-sha1-96" > /files/etc/krb5.conf/libdefaults/default_tgs_enctypes[3] = > "aes256-cts-hmac-sha1-96" > /files/etc/krb5.conf/libdefaults/#eol[1] > /files/etc/krb5.conf/libdefaults/default_tkt_enctypes[1] = > "arcfour-hmac-md5" > /files/etc/krb5.conf/libdefaults/default_tkt_enctypes[2] = > "aes128-cts-hmac-sha1-96" > /files/etc/krb5.conf/libdefaults/default_tkt_enctypes[3] = > "aes256-cts-hmac-sha1-96" > /files/etc/krb5.conf/libdefaults/#eol[2] > /files/etc/krb5.conf/libdefaults/default_realm = "AMER.DELL.COM" > /files/etc/krb5.conf/libdefaults/ticket_lifetime = "36000" > /files/etc/krb5.conf/libdefaults/forwardable = "true" > /files/etc/krb5.conf/domain_realm > /files/etc/krb5.conf/domain_realm/auspslpltinf1.us.dell.com = " > AMER.DELL.COM" > > Adding the lines #eol[] to the augtool script resolves this issue: > > > load-file /etc/krb5.conf > defnode libdefaults /files/etc/krb5.conf/libdefaults > set $libdefaults/default_tgs_enctypes[1] 'arcfour-hmac-md5' > set $libdefaults/default_tgs_enctypes[2] 'aes128-cts-hmac-sha1-96' > set $libdefaults/default_tgs_enctypes[3] 'aes256-cts-hmac-sha1-96' > set $libdefaults/#eol[1] > set $libdefaults/default_tkt_enctypes[1] 'arcfour-hmac-md5' > set $libdefaults/default_tkt_enctypes[2] 'aes128-cts-hmac-sha1-96' > set $libdefaults/default_tkt_enctypes[3] 'aes256-cts-hmac-sha1-96' > set $libdefaults/#eol[2] > save > > Regards, > George Hansper > On 23/2/21 7:21 am, Spike White wrote: > > In summary, here's a simple augtool file: > > set /augeas/load/Krb5/incl "/etc/krb5.conf" > set /augeas/load/Krb5/lens "Krb5.lns" > load > defnode libdefaults /files/etc/krb5.conf/libdefaults > set $libdefaults/default_tgs_enctypes[1] 'arcfour-hmac-md5' > set $libdefaults/default_tgs_enctypes[2] 'aes128-cts-hmac-sha1-96' > set $libdefaults/default_tgs_enctypes[3] 'aes256-cts-hmac-sha1-96' > set $libdefaults/default_tkt_enctypes[1] 'arcfour-hmac-md5' > set $libdefaults/default_tkt_enctypes[2] 'aes128-cts-hmac-sha1-96' > set $libdefaults/default_tkt_enctypes[3] 'aes256-cts-hmac-sha1-96' > save > print /augeas//error > > Here's a simple /etc/krb5.conf file: > > [libdefaults] > default_realm = AMER.DELL.COM > ticket_lifetime = 36000 > forwardable = true > > [domain_realm] > auspslpltinf1.us.dell.com = AMER.DELL.COM > > Here's the augtool invocation: > > augtool --noautoload -f krb5.aug > > Here's the error: > > [root@auspslpltinf1 tmp]# augtool --noautoload -f krb5.aug > error: Failed to execute command > saving failed (run 'print /augeas//error' for details) > /augeas/files/etc/krb5.conf/error = "put_failed" > /augeas/files/etc/krb5.conf/error/path = "/files/etc/krb5.conf/libdefaults" > /augeas/files/etc/krb5.conf/error/lens = > "/usr/share/augeas/lenses/dist/inifile.aug:353.27-354.17:" > /augeas/files/etc/krb5.conf/error/message = "Failed to match \n ({ > /[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc][Tt][Yy][Pp][Ee](([Ss][.0-9A-Z_a-z-]|[.0-9A-RT-Z_a-rt-z-])[.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc][Tt][Yy][Pp]([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc][Tt][Yy]([.0-9A-OQ-Z_a-oq-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc][Tt]([.0-9A-XZ_a-xz-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn][Cc]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee][Nn]([.0-9ABD-Z_abd-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_[Ee]([.0-9A-MO-Z_a-mo-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]_([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg][Ss]([.0-9A-Za-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc][Tt][Yy][Pp][Ee](([Ss][.0-9A-Z_a-z-]|[.0-9A-RT-Z_a-rt-z-])[.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc][Tt][Yy][Pp]([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc][Tt][Yy]([.0-9A-OQ-Z_a-oq-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc][Tt]([.0-9A-XZ_a-xz-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn][Cc]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee][Nn]([.0-9ABD-Z_abd-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_[Ee]([.0-9A-MO-Z_a-mo-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]_([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk][Tt]([.0-9A-Za-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Kk]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt][Gg]([.0-9A-RT-Z_a-rt-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_[Tt]([.0-9A-FH-JL-Z_a-fh-jl-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]_([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll][Tt]([.0-9A-Za-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu][Ll]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa][Uu]([.0-9A-KM-Z_a-km-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff][Aa]([.0-9A-TV-Z_a-tv-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee][Ff]([.0-9B-Z_b-z-][.0-9A-Z_a-z-]*|)|[Dd][Ee]([.0-9A-EG-Z_a-eg-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc][Tt][Yy][Pp][Ee](([Ss][.0-9A-Z_a-z-]|[.0-9A-RT-Z_a-rt-z-])[.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc][Tt][Yy][Pp]([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc][Tt][Yy]([.0-9A-OQ-Z_a-oq-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc][Tt]([.0-9A-XZ_a-xz-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn][Cc]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee][Nn]([.0-9ABD-Z_abd-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_[Ee]([.0-9A-MO-Z_a-mo-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]_([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee][Dd]([.0-9A-Za-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt][Ee]([.0-9A-CE-Z_a-ce-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt][Tt]([.0-9A-DF-Z_a-df-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii][Tt]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm][Ii]([.0-9A-SU-Z_a-su-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr][Mm]([.0-9A-HJ-Z_a-hj-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee][Rr]([.0-9A-LN-Z_a-ln-z-][.0-9A-Z_a-z-]*|)|[Pp][Ee]([.0-9A-QS-Z_a-qs-z-][.0-9A-Z_a-z-]*|)|([Pp][.0-9A-DF-Z_a-df-z-]|[Dd][.0-9A-DF-Z_a-df-z-]|[.0-9A-CE-OQ-Z_a-ce-oq-uw-z-][.0-9A-Z_a-z-])([.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|)|(v4_name_convert[.0-9A-Z_a-z-][.0-9A-Z_a-z-]|v4_name_conver[.0-9A-Z_a-su-z-][.0-9A-Z_a-z-])[.0-9A-Z_a-z-]*|v4_name_convert[.0-9A-Z_a-z-]|v4_name_conver[.0-9A-Z_a-su-z-]|v4_name_conver|v4_name_conve[.0-9A-Z_a-qs-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_conve[.0-9A-Z_a-qs-z-]|v4_name_conve|v4_na[.0-9A-Z_a-ln-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_na[.0-9A-Z_a-ln-z-]|v4_na|v[.0-35-9A-Z_a-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v[.0-35-9A-Z_a-z-]|v4[.0-9A-Za-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4[.0-9A-Za-z-]|v4|v4_n[.0-9A-Z_b-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_n[.0-9A-Z_b-z-]|v4_n|v4_[.0-9A-Z_a-mo-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_[.0-9A-Z_a-mo-z-]|v4_|v4_nam[.0-9A-Z_a-df-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_nam[.0-9A-Z_a-df-z-]|v4_nam|v4_name_conv[.0-9A-Z_a-df-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_conv[.0-9A-Z_a-df-z-]|v4_name_conv|v4_name_con[.0-9A-Z_a-uw-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_con[.0-9A-Z_a-uw-z-]|v4_name_con|v4_name_co[.0-9A-Z_a-mo-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_co[.0-9A-Z_a-mo-z-]|v4_name_co|v4_name_c[.0-9A-Z_a-np-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_c[.0-9A-Z_a-np-z-]|v4_name_c|v4_name_[.0-9A-Z_abd-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name_[.0-9A-Z_abd-z-]|v4_name_|v4_name[.0-9A-Za-z-][.0-9A-Z_a-z-][.0-9A-Z_a-z-]*|v4_name[.0-9A-Za-z-]|v4_name|v|[Pp]|[Dd]|[.0-9A-CE-OQ-Z_a-ce-oq-uw-z-]/ > = /[^\\001-\\004\\t\\n #;]+/ } | { /#comment/ = /(([^\\001-\\004\\t\\n > ][^\\001-\\004\\n]*[^\\001-\\004\\t\\n ]|[^\\001-\\004\\t\\n ]))?/ } | { > /permitted_enctypes/ = /[0-9A-Za-z-]{3,}/ }({ /permitted_enctypes/ = > /[0-9A-Za-z-]{3,}/ })*({ /#comment/ = /(([^\\001-\\004\\t\\n > ][^\\001-\\004\\n]*[^\\001-\\004\\t\\n ]|[^\\001-\\004\\t\\n ]))?/ } | ()){ > /#eol/ } | { /default_tgs_enctypes/ = /[0-9A-Za-z-]{3,}/ }({ > /default_tgs_enctypes/ = /[0-9A-Za-z-]{3,}/ })*({ /#comment/ = > /(([^\\001-\\004\\t\\n ][^\\001-\\004\\n]*[^\\001-\\004\\t\\n > ]|[^\\001-\\004\\t\\n ]))?/ } | ()){ /#eol/ } | { /default_tkt_enctypes/ = > /[0-9A-Za-z-]{3,}/ }({ /default_tkt_enctypes/ = /[0-9A-Za-z-]{3,}/ })*({ > /#comment/ = /(([^\\001-\\004\\t\\n ][^\\001-\\004\\n]*[^\\001-\\004\\t\\n > ]|[^\\001-\\004\\t\\n ]))?/ } | ()){ /#eol/ } | { /v4_name_convert/ } | { > })*\n with tree\n { \"default_realm\" = \"AMER.DELL.COM\" } { > \"ticket_lifetime\" = \"36000\" } { \"forwardable\" = \"true\" } { } { > \"default_tgs_enctypes\" = \"arcfour-hmac-md5\" } { > \"default_tgs_enctypes\" = \"aes128-cts-hmac-sha1-96\" } { > \"default_tgs_enctypes\" = \"aes256-cts-hmac-sha1-96\" } { > \"default_tkt_enctypes\" = \"arcfour-hmac-md5\" } { > \"default_tkt_enctypes\" = \"aes128-cts-hmac-sha1-96\" } { > \"default_tkt_enctypes\" = \"aes256-cts-hmac-sha1-96\" }" > > If I manually fix up the /etc/krb5.conf file: > > [libdefaults] > default_tgs_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 > default_tkt_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 > default_realm = AMER.DELL.COM > ticket_lifetime = 36000 > forwardable = true > > [domain_realm] > auspslpltinf1.us.dell.com = AMER.DELL.COM > > the augtool invocation works fine. > > Spike > > > On Thu, Feb 18, 2021 at 12:46 PM Spike White <[email protected]> > wrote: > >> augeas experts, >> >> I am trying to update my /etc/krb5.conf. I'm testing (for now) with a >> /tmp/krb5.conf file on RHEL7. >> >> I have to have it not autoload all files, as there's some syntax in some >> other files augeas doesn't understand. >> >> Here is my old krb5.aug file (which works). >> >> set /augeas/load/Krb5/incl "/tmp/krb5.conf" >> set /augeas/load/Krb5/lens "Krb5.lns" >> load >> defnode realms_AMER_DELL_COM /files/tmp/krb5.conf/realms/realm[. = ' >> AMER.DELL.COM' ] >> defnode libdefaults /files/tmp/krb5.conf/libdefaults >> set $realms_AMER_DELL_COM AMER.DELL.COM >> set $realms_AMER_DELL_COM/#comment LANDMARK >> set $realms_AMER_DELL_COM/auth_to_local[1] 'RULE:[1:$1]' >> set $realms_AMER_DELL_COM/auth_to_local[2] 'DEFAULT' >> set $libdefaults/default_realm AMER.DELL.COM >> set $libdefaults/dns_lookup_kdc true >> set /files/etc/krb5.conf/libdefaults/rdns false >> set /files/etc/krb5.conf/domain_realm/.isus.emc.com AMER.DELL.COM >> save >> >> I run it thusly: augtool --noautoload -f krb5.aug >> >> # Configuration snippets may be placed in this directory as well >> includedir /etc/krb5.conf.d/ >> >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> default_realm = AMER.DELL.COM >> dns_lookup_kdc = true >> default_etypes_des = des-cbc-crc >> default_tgs_enctypes = arcfour-hmac-md5 >> default_tkt_enctypes = arcfour-hmac-md5 >> >> [realms] >> AMER.DELL.COM = { >> #LANDMARK >> auth_to_local = RULE:[1:$1] >> auth_to_local = DEFAULT >> } >> [domain_realm] >> # .example.com = EXAMPLE.COM >> # example.com = EXAMPLE.COM >> .isus.emc.com = AMER.DELL.COM >> >> Here's my problem. I want to restrict my /default_tgs_enctypes >> and default_tkt_enctypes to only the strong-ish encryption types (I know >> the arcfour-hmac-md5 is not terribly strong today). >> >> so if i change my krb5.aug file to this: >> >> set /augeas/load/Krb5/incl "/tmp/krb5.conf" >> set /augeas/load/Krb5/lens "Krb5.lns" >> load >> defnode realms_AMER_DELL_COM /files/tmp/krb5.conf/realms/realm[. = ' >> AMER.DELL.COM' ] >> defnode libdefaults /files/tmp/krb5.conf/libdefaults >> set $realms_AMER_DELL_COM AMER.DELL.COM >> set $realms_AMER_DELL_COM/#comment LANDMARK >> set $realms_AMER_DELL_COM/auth_to_local[1] 'RULE:[1:$1]' >> set $realms_AMER_DELL_COM/auth_to_local[2] 'DEFAULT' >> set $libdefaults/default_realm AMER.DELL.COM >> set $libdefaults/dns_lookup_kdc true >> set $libdefaults/default_tgs_enctypes[1] 'arcfour-hmac-md5' >> set $libdefaults/default_tgs_enctypes[2] 'aes128-cts-hmac-sha1-96' >> set $libdefaults/default_tgs_enctypes[3] 'aes256-cts-hmac-sha1-96' >> set $libdefaults/default_tkt_enctypes[1] 'arcfour-hmac-md5' >> set $libdefaults/default_tkt_enctypes[2] 'aes128-cts-hmac-sha1-96' >> set $libdefaults/default_tkt_enctypes[3] 'aes256-cts-hmac-sha1-96' >> set /files/etc/krb5.conf/libdefaults/rdns false >> set /files/etc/krb5.conf/domain_realm/.isus.emc.com AMER.DELL.COM >> save >> >> It fails. The only extra lines are the >> $libdefaults/default_tgs_enctypes and the >> $libdefaults/default_tkt_enctypes set lines. >> >> However, if I change my /tmp/krb5.conf file so that >> 3 default_tgs_enctypes and 3 default_tkt_enctypes already exist, it >> succeeds. >> >> Example before: >> ... >> [libdefaults] >> ... >> default_tgs_enctypes = des-cbc-crc des-cbc-crc des-cbc-crc >> default_tkt_enctypes = des-cbc-crc des-cbc-crc des-cbc-crc >> >> then run augtool --noautoload -f /tmp/krb5.aug >> >> After: >> [libdefaults] >> ... >> default_tgs_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96 >> aes256-cts-hmac-sha1-96 >> default_tkt_enctypes = arcfour-hmac-md5 aes128-cts-hmac-sha1-96 >> aes256-cts-hmac-sha1-96 >> >> I thought "set" operator was supposed to create a node entry if it didn't >> already exist. >> >> Why does it fail to modify these entries, unless the lines already exist, >> with 3 entries already? >> >> Spike >> >> >> > _______________________________________________ > augeas-devel mailing > [email protected]https://listman.redhat.com/mailman/listinfo/augeas-devel > > _______________________________________________ > augeas-devel mailing list > [email protected] > https://listman.redhat.com/mailman/listinfo/augeas-devel
_______________________________________________ augeas-devel mailing list [email protected] https://listman.redhat.com/mailman/listinfo/augeas-devel
