nom.log Config test failed - messages su: FAILED SU

[junkertf]

Hello,

Have almost same issue like the following URL

https://support.nagios.com/forum/viewto ... 16&t=49898

output from the system (NagiosXI 5.5.2 on RHEL7):

tail -f /app/nagiosxi/var/nom.log
Password: su: Permission denied
ERROR: Could not create or update '/usr/local/nagios/var/nagios.configtest'
Config test failed. Checkpoint aborted.

~]# /usr/local/nagiosxi/scripts/nom_create_nagioscore_checkpoint_cond.sh
OK.

--- reset_config_perms.sh ------------
> Setting CCM script permissions
> Setting script permissions
> Setting special component script permissions
> Setting configuration file/directory permissions
> Setting perfdata directory and RRD permissions
> Setting NOM checkpoint user:group permissions
> + Setting CCM configuration file user:group permissions
> + Setting Recurring Downtime file user:group permissions
> + Setting BPI configuration file user:group permissions
--------------------------------------
/usr/local/nagiosxi/nom/checkpoints/nagioscore ~
tar: Removing leading `/' from member names
~
Config test passed. Checkpoint created.

~]# ls -al /usr/local/nagios/var/nagios.configtest
-rw-rw-r--+ 1 nagios nagios 11730363 Nov 7 08:44 /usr/local/nagios/var/nagios.configtest

#but the nex time run - croned 1 min result is again:
~]# ls -al /usr/local/nagios/var/nagios.configtest
ls: cannot access /usr/local/nagios/var/nagios.configtest: No such file or directory

Password: su: Permission denied
ERROR: Could not create or update '/usr/local/nagios/var/nagios.configtest'
Config test failed. Checkpoint aborted.

the original reason for the debug is the following line at /var/log/messages:

Nov 4 03:12:02 NAGIOSHOST su: FAILED SU (to nagios) nagios on none

which is actually try to log in to our AD without success and make non cancallable failure audit on our NagiosXI and AD side servers.

OUR sudoers file contain the following lines:

~]# grep NAGIOSXI /etc/sudoers
User_Alias NAGIOSXI=nagios
User_Alias NAGIOSXIWEB=apache
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios restart
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios reload
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios status
NAGIOSXI ALL = NOPASSWD:/etc/init.d/nagios checkconfig
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db restart
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db reload
NAGIOSXI ALL = NOPASSWD:/etc/init.d/ndo2db status
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd start
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd stop
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd restart
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd reload
NAGIOSXI ALL = NOPASSWD:/etc/init.d/npcd status
NAGIOSXI ALL = NOPASSWD:/usr/bin/php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php *
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/html/includes/components/profile/getprofile.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/upgrade_to_latest.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/change_timezone.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/manage_services.sh *
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/reset_config_perms.sh
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/manage_ssl_config.sh *
NAGIOSXI ALL = NOPASSWD:/usr/local/nagiosxi/scripts/backup_xi.sh *
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/tail -100 /var/log/messages
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/tail -100 /var/log/httpd/error_log
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/tail -100 /var/log/mysqld.log
NAGIOSXIWEB ALL = NOPASSWD:/usr/bin/php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php *
NAGIOSXIWEB ALL = NOPASSWD:/usr/local/nagiosxi/html/includes/components/profile/getprofile.sh
NAGIOSXIWEB ALL = NOPASSWD:/etc/init.d/snmptt restart
NAGIOSXIWEB ALL = NOPASSWD:/usr/local/nagiosxi/scripts/repair_databases.sh
NAGIOSXIWEB ALL = NOPASSWD:/usr/local/nagiosxi/scripts/manage_services.sh *

and touching the file makes also no sense:

~]# su nagios -c "touch /usr/local/nagios/var/nagios.configtest"
~]# echo $?
0

#the error is same after the touch
Password: su: Permission denied
ERROR: Could not create or update '/usr/local/nagios/var/nagios.configtest'
Config test failed. Checkpoint aborted.

notice:
ls -l /usr/local/
...
lrwxrwxrwx 1 root root 11 Apr 18 2018 nagios -> /app/nagios
lrwxrwxrwx 1 root root 17 Apr 18 2018 nagiosmobile -> /app/nagiosmobile
lrwxrwxrwx 1 nagios nagios 13 Apr 18 2018 nagiosxi -> /app/nagiosxi


what can be the cause of our problem?

Thank you, best regards,

Ferenc

[cdienger]

It looks like the "su nagios -c "touch /usr/local/nagios/var/nagios.configtest"" command is successful can you see nagios.configtest is created or the timestamp is updated with "ls -l /usr/local/nagios/var/nagios.configtest" ?

What steps were taken to integrate with AD? This error can be seen if settings in /etc/pam.d/su prevent it.

[junkertf]

Hello,

[]# su nagios -c "touch /usr/local/nagios/var/nagios.configtest"
You have new mail in /var/spool/mail/root
[]# ls -l /usr/local/nagios/var/nagios.configtest
-rw-rw-r--+ 1 nagios nagios 0 Nov 8 07:40 /usr/local/nagios/var/nagios.configtest

but the result is same:

Password: su: Permission denied
ERROR: Could not create or update '/usr/local/nagios/var/nagios.configtest'
Config test failed. Checkpoint aborted.

Regarding the AD, i had just set the 2 authentication server at Admin / LDAP/AD autentication page with a standard AD login, it is working well.

Our pam.d/su file contain the following:

#
%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so

thank you, best regards,

Ferenc

[cdienger]

The pam.d config looks good, and thanks for clarifying the AD setup. That should also be okay.

The problem could be with the permissions of the sucommand itself. Run the following:

which su

This will likely point to /bin/su. Check the permissions of the su command:

ll /bin/su

they should look something like:

-rwsr-xr-x. 1 root root 34904 May 11 2016 /bin/su

you can set it with the following if needed:

chmod 4755 /bin/su
chown root:root /bin/su

[junkertf]

Hello,

looks like:

[]# which su
/usr/bin/su

[]# ls -l /usr/bin/su
-rwsr-xr-x 1 root root 32184 Feb 2 2018 /usr/bin/su
[]# ls -l /bin/su
-rwsr-xr-x 1 root root 32184 Feb 2 2018 /bin/su


the cheksum are same...

[]# md5sum /bin/su /usr/bin/su
329aa0a2a10f1e6b0f35d75989cfd535 /bin/su
329aa0a2a10f1e6b0f35d75989cfd535 /usr/bin/su

[]# file /bin/su | awk -F"=" {'print $2'} | awk -F"," {'print $1'}
2e38ae0381a511099a248bdf8f5506b88874c786
[]# file /usr/bin/su | awk -F"=" {'print $2'} | awk -F"," {'print $1'}
2e38ae0381a511099a248bdf8f5506b88874c786

tried to strace the problematic point:
....
[almost the of the snippet]
...
stat("/etc/my.cnf.d/server.cnf", {st_mode=S_IFREG|0644, st_size=744, ...}) = 0
open("/etc/my.cnf.d/server.cnf", O_RDONLY) = 7
fstat(7, {st_mode=S_IFREG|0644, st_size=744, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f54bc5e1000
read(7, "#\n# These groups are read by Mar"..., 4096) = 744
read(7, "", 4096) = 0
close(7) = 0
munmap(0x7f54bc5e1000, 4096) = 0
read(6, "", 4096) = 0
close(6) = 0
munmap(0x7f54bc5e2000, 4096) = 0
stat("/home/nagios/.my.cnf", 0x7ffc3c2dcb30) = -1 ENOENT (No such file or directory)
socket(AF_LOCAL, SOCK_STREAM, 0) = 6
fcntl(6, F_SETFL, O_RDONLY) = 0
fcntl(6, F_GETFL) = 0x2 (flags O_RDWR)
connect(6, {sa_family=AF_LOCAL, sun_path="/var/lib/mysql/mysql.sock"}, 110) = 0
setsockopt(6, SOL_SOCKET, SO_RCVTIMEO, "\2003\341\1\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
setsockopt(6, SOL_SOCKET, SO_SNDTIMEO, "\2003\341\1\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
setsockopt(6, SOL_IP, IP_TOS, [8], 4) = -1 EOPNOTSUPP (Operation not supported)
setsockopt(6, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
read(6, "R\0\0\0\n5.5.56-MariaDB\0\352\265\37\0V+qx'V^V"..., 16384) = 86
write(6, "]\0\0\1\215\242\16\0\0\0\0@\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 97) = 97
read(6, "\7\0\0\2\0\0\0\2\0\0\0", 16384) = 11
poll([{fd=6, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
write(6, "\t\0\0\0\2nagiosql", 13) = 13
read(6, "\7\0\0\1\0\0\0\2\0\0\0", 16384) = 11
poll([{fd=6, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
write(6, "\17\0\0\0\3SET NAMES utf8", 19) = 19
read(6, "\7\0\0\1\0\0\0\2\0\0\0", 16384) = 11
poll([{fd=4, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
write(4, "l\0\0\0\3SELECT * FROM xi_meta WHERE"..., 112) = 112
read(4, "\1\0\0\1\5:\0\0\2\3def\10nagiosxi\7xi_meta\7x"..., 16384) = 401
pipe2([7, 8], O_CLOEXEC) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f54bc5cdb50) = 10471
close(8) = 0
fcntl(7, F_SETFD, 0) = 0
read(7, Password:
su: Permission denied
"ERROR: Could not create or updat"..., 8192) = 76
write(1, "ERROR: Could not create or updat"..., 76ERROR: Could not create or update '/usr/local/nagios/var/nagios.configtest'
) = 76
read(7, "Config test failed. Checkpoint "..., 8192) = 41
write(1, "Config test failed. Checkpoint "..., 41Config test failed. Checkpoint aborted.
) = 41
read(7, "", 8192) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=10471, si_uid=5500, si_status=1, si_utime=0, si_stime=0} ---
close(7) = 0
wait4(10471, [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 10471
poll([{fd=4, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
write(4, "s\0\0\0\3SELECT * FROM xi_meta WHERE"..., 119) = 119
read(4, "\1\0\0\1\5:\0\0\2\3def\10nagiosxi\7xi_meta\7x"..., 16384) = 438
poll([{fd=4, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
write(4, "\244\0\0\0\3UPDATE xi_meta SET keyvalue"..., 168) = 168
read(4, "0\0\0\1\0\0\0\"\0\0\0(Rows matched: 1 Cha"..., 16384) = 52
poll([{fd=4, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
write(4, ",\0\0\0\3SELECT * FROM xi_sysstat WH"..., 48) = 48
read(4, "\1\0\0\1\4F\0\0\2\3def\10nagiosxi\nxi_syssta"..., 16384) = 371
poll([{fd=4, events=POLLIN|POLLPRI}], 1, 0) = 0 (Timeout)
write(4, "j\0\0\0\3UPDATE xi_sysstat SET value"..., 110) = 110
read(4, "0\0\0\1\0\1\0\2\0\0\0(Rows matched: 1 Cha"..., 16384) = 52
close(2) = 0
close(1) = 0
close(0) = 0
munmap(0x7f54a6b5a000, 266240) = 0
munmap(0x7f54a6b9b000, 266240) = 0
munmap(0x7f54a6bdc000, 266240) = 0
munmap(0x7f54a6c1d000, 266240) = 0
munmap(0x7f54bc3fa000, 266240) = 0
write(6, "\1\0\0\0\1", 5) = 5
shutdown(6, SHUT_RDWR) = 0
close(6) = 0
write(5, "\1\0\0\0\1", 5) = 5
shutdown(5, SHUT_RDWR) = 0
close(5) = 0
write(4, "\1\0\0\0\1", 5) = 5
shutdown(4, SHUT_RDWR) = 0
close(4) = 0
munmap(0x7f54a789f000, 2152096) = 0


another source of the problem? it will be nice to solve it

Thank you, best regards,

Ferenc

[cdienger]

Perhaps the NagiosUsers variable is set to something else. In /etc/init.d/nagios is the code:

Code: Select all

 if ! su $NagiosUser -c "touch $NagiosCfgtestFile"; then
                echo "ERROR: Could not create or update '$NagiosCfgtestFile'"
                exit 8
        fi

Try hard coding the username 'nagios':

Code: Select all

 if ! su nagios -c "touch $NagiosCfgtestFile"; then
                echo "ERROR: Could not create or update '$NagiosCfgtestFile'"
                exit 8
        fi

I'd also be curious to see if what is printed out if you add a "echo $NagiosUser" right before that block of code.

[junkertf]

Hello,

So now is working. I dont understand how, but it is needed to run the cron.d nom.log line as root from command line:
(Notice: i had made the config changes in /etc/init.d/nagios lines: echo $NagiosUser before the touch line!)

[~]# /usr/bin/php -q /usr/local/nagiosxi/cron/nom.php >> /usr/local/nagiosxi/var/nom.log
tar: Removing leading `/' from member names

the result in nom.log is:
nagios
OK.

--- reset_config_perms.sh ------------
> Setting CCM script permissions
> Setting script permissions
> Setting special component script permissions
> Setting configuration file/directory permissions
> Setting perfdata directory and RRD permissions
> Setting NOM checkpoint user:group permissions
> + Setting Nagios Core corelog.newobjects user:group permissions
> + Setting CCM configuration file user:group permissions
> + Setting Recurring Downtime file user:group permissions
> + Setting BPI configuration file user:group permissions
--------------------------------------
/usr/local/nagiosxi/nom/checkpoints/nagioscore ~
~
Config test passed. Checkpoint created.


After that the nom.log is not pupulated anyomore! (is it normal?)

Also the nagios checkconfig is working well:

[]$ sudo /etc/init.d/nagios checkconfig
nagios
OK.

And also the "Core Component Status" widget shows that the Nonstop Operatoins Manager running well in 1 minute period.
Also the unneccessary AD logins are gone!

If everything is okay, tha case can be closed.

Thank you, best regards,

Ferenc

[cdienger]

Thank you for the update. I'm not entirely sure why running it manually like that would get it to work but it sounds like it may have failed previously and running it manually cleared something out to allow it to run automatically from there. We'll close this out but let us know if it comes back. Now that we know what will fix it we may be able to look at a few more things of interest if it occurs again.

A quiet nom.log is normal - if the status is green and you see check points created in /usr/local/nagiosxi/nom/checkpoints/ when configurations in the CCM are applied then things are okay.

[junkertf]

Hello,

The issue still come out again... so i run the cron.d nom line with had with root.
At thursday i make an upgrade to 5.5.7 so need some time to watch that it is come out after still or not...

Thank you, best regards,

Ferenc

[cdienger]

Thanks. Keep us posted.