Kerberos commands from Nagios

[Dave-OD]

Hi,

I am trying to create a command on my nagios server which will check web access via my proxy environment, using kerberos.

I found the below KB articles.. would they suitable to work from? the second of the two seems more descriptive, but is 6 years old.. so possibly not relevant!!

I suppose im most curios about the ticketing processing, and also whether nagios needs to be added to my domain?

Any direction much appreciated?

http://exchange.nagios.org/directory/Pl ... dc/details

https://www.itefix.net/content/nagios-s ... -directory

[slansing]

Using 'check_kdc' seems quite valid, though as noted in the exchange comment section you may need to modify the plugin a bit. I'd definitely give that one a shot first if it seems like it will cover what you need. Let me know if you have any more questions!

[Dave-OD]

cheers slansing...

i guess i understand Kerberos from a windows perspective, which requires machines are part of the ticketing process, and up and running on the domain.

should i assume the same for my nagios server.. for the 'check_kdc' to work?

[slansing]

One big thing that will help you out as you implement new plugins is most of them are supplied with a 'help' flag you can pass to get proper usage output, though it is part of our plugin development guidelines not all plugin developers follow it. In this case, with check_kdc you can pass the traditional '-h' when executing it from the command line like so:

Code: Select all

/path/to/your/plugin/check_kdc -h

And you would get:

Code: Select all

Kerberos 5 KDC plugin for Nagios

-H, --hostname=HOST	Name of KDC to check
-P, --port=PORT		Port on which KDC runs (default 88)
-p, --principal=NAME	Principal name to authenticate as (including realm)
-k, --keytab=FILE	Keytab file containing principal's key
-h, --help 		Print this help
--version 		Print version"

In this case, the plugin can be ran on any system you like, most importantly, it can be ran from the nagios server itself as it includes a flag for hostname/ip/address as '-H' So you can test it quickly by manually running the plugin itself and trying the different check flags provided such as:

Code: Select all

/path/to/your/plugin/check_kdc -H ip.addr.of.kerb.serv -P 1this2is3my4port -p noidea -k noidea

For '-p' and '-k' as I don't know too much about these two you would use whatever you expect the kerberos system to be using, I don't know if you need a path or can just call it by name.

[Dave-OD]

Thanks again mate...

Am i correct in thinking the below plugin/script is for checking kerberos server and ticketing system is responding successfully?

Indeed my goal here is to check kerberos mechanism, but more from a user perspective i.e. access to google.com using kerberos auth.

How would i go about incorporating this into a check_http script, using kerberos mechanism, or is this even achievable?

[abrist]

This is not currently possible with check_http as it only supports basic auth and standard ssl certs/keys. You may want to look at the webinject plugin as it claims to support kerberos:
http://www.webinject.org/plugin.html
http://assets.nagios.com/downloads/nagi ... ios-XI.pdf

[slansing]

Well, you can mix and match plugins on a single host. You could use this for some Kerb specific checks, then run some sort of webinject checks, or http checks as separate services. Selenium is also another option:

http://library.nagios.com/library/produ ... -nagios-xi

You can integrate it with core as well.