Thank you for the effort mcapra and ssax! Dont't want to beat a dead horse...
Go ahead and lock for now. If anyone does ever get it working please let me know (bcowan@nshe.nevada.edu)
check_wmi_plus and ntlm authentication
Re: check_wmi_plus and ntlm authentication
Looks like someone else was having the same issue:
https://edcint.co.nz/checkwmiplus/forum ... ite_fault/
I'll leave this open in case someone else has this working.
https://edcint.co.nz/checkwmiplus/forum ... ite_fault/
I'll leave this open in case someone else has this working.
Re: check_wmi_plus and ntlm authentication
I was able to get kerberos authentication working by substituting a python script (using impacket) for the wmic command, however, each check appears to successfully reply after the kerberos login, but then does a second login using NTLM, however, since the password in blank it causes the unsuccessful (bad password) count to increment. After 50 checks in a 10 minute period the service account is temporarily revoked, and then all hell breaks loose, recovers, and the pattern repeats. I've been unable to find a programattic way to resolve this from the Nagios check plugin, and our AD Admin doesn't believe there is anything he can do about it either. So, I'm stuck again. He wants to move on to using an Agent. Arghh!
Re: check_wmi_plus and ntlm authentication
I would probably use an agent in this case as well as I wasn't able to get it to work either past the kerberos auth being successful either, check_wmi_plus.pl checks have quite a bit of overhead compared to NCPA.
Re: check_wmi_plus and ntlm authentication
Just an update on this... I created a python script to replace 'wmic' and inserted a tiny block of perl code in 'check_wmi_plus.pl'. Although it caused a fairly significant increase in cpu load on our XI server, we put it in production, and it's been running for about 6 weeks. That's for approximately 65 Windows servers and 500 services using wmi checks.
Meanwhile, I wrote my own version of 'check_wmi_plus.pl' in python (I call it wmiquery.py). Right now it only supports the checks and options that we use at our site. It needs a lot more work, but I replaced all our wmi checks with it last night and the cpu load dropped back down to an acceptable level. Now, if 'wmic' ever gets fixed to handle kerberos properly..., I can work it back in to my script.
I would probably be more happy about the use of agents, if I were the one with the power to oversee the installation, but I'm not, so for now, I try to avoid them.
Meanwhile, I wrote my own version of 'check_wmi_plus.pl' in python (I call it wmiquery.py). Right now it only supports the checks and options that we use at our site. It needs a lot more work, but I replaced all our wmi checks with it last night and the cpu load dropped back down to an acceptable level. Now, if 'wmic' ever gets fixed to handle kerberos properly..., I can work it back in to my script.
I would probably be more happy about the use of agents, if I were the one with the power to oversee the installation, but I'm not, so for now, I try to avoid them.
Re: check_wmi_plus and ntlm authentication
Awesome, thanks for the update! I had a feeling WMIC didn't support it. Our devs are looking at it as well so thank you for the confirmation about the python library.