check_wmi_plus authentication

[monstro]

Hey Guys,

I'm currently having an issue with check_wmi_plus authentication. I can authenticate by using --extrawmicarg "--option=client ntlmv2 auth=Yes" however I would much prefer it to use Kerberos instead. I know I can use the -k | --kerberos=STRING though I have no idea how to use it and I've been searching any piece of information I could find only to turn up empty handed. Any information you could provide would be greatly appreciated.

[jdalrymple]

42.6.6 I expect:

https://www.centos.org/docs/5/html/Depl ... beros.html

I doubt their is much to configure once your local nagios user can authenticate to your domain. Have you already made it that far and are still running into issues?

[monstro]

Hey jdalrymple,

When I try and execute the command kadmin -addprinc -randkey host/domain.com I end up with an error "kadmin: missing parameters in krb5.conf required for kadmin client while initializing kadmin interface" despite this error I have been able to authenticate against active directory using kinit and I can see that I have a kerberos ticket when I use klist.

[monstro]

And yes I'm still running into issues. For some reason or another even though I try to run a WMI query from my CentOS server that's been joined to my windows domain it ends up trying to use NTLM instead of Kerberos which is a little confusing. Like I said I have no idea how to use the -k| kerberos==string and finding any documentation on it has brought up nothing so, I don't know if I'm supposed to use that when I query or if the machine has been joined to the domain that it would be using Kerberos automatically with every check.

[jdalrymple]

As you've no doubt discovered check_wmi_plus is just a wmic wrapper
wmic uses Samba's authentication libs as well as a great deal of other Samba components
navigating that source tree is a bit on the daunting side

I truthfully wouldn't expect any options to be necessary and as of yet am not sure what the STRING requested is. One thing that may be helpful, add -vvv to your check_wmi_plus command, it can be pretty darn verbose which may be helpful in troubleshooting. I'm assuming you're troubleshooting this from the command line and not fiddling around in the Core UI?

[monstro]

Hey jdalrymple,

Your assumption would be correct that I'm doing it from the console and not the UI. Also, on the -vvv did you mean -d -d -d or just -d? I've tried -vvv and ended up with Unknown option however, when using -d it shows the command being run with WMIC. When I use the --extrawmicarg with --option="client ntlmv2 auth"=yes the command passes and it shows the information from the other computer. When I drop that extra command I get this:

Could not find the CLASS: line - an eror occurred
WMI DATA:$VAR1 = [];

[librpc/rpc/dcerpc_util.cdcerp_pipe_auth_recv()] Failed to bind to uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - NT_STATUS_NET_WRITE_FAULT

[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c0000022) in dcerpc_pipe_connect_b_recv
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access is denied

Also, I scrolled up a little and saw the module versions I had installed and it appeared that I did not have the Net::DNS module installed however, it still did not resolve the issue so still kinda stumped though seems like a little more progress.

[monstro]

Sorry I apologize the -k | kerberos=string is actually a command of WMIC not check_wmi_plus.

[monstro]

And when I use a command such as ./check_wmi_plus.pl -H HOST -u user%domain -p password -m checkservice --extramwmiarg -k I end up with this error

UNKNOWN - The WMI query had problems. The error text from wmic is : Error parsing -k -U

[ssax]

Please post the exact command that you're running (sanitized).

Also, the -u option should be DOMAIN/User (you had user%domain), not sure if that's just a typo.

[monstro]

The command I've been running that forcefully uses NTLMv2 is:

./check_wmi_plus.pl -H HOST -u domain/user -p password -m checkservice --extrawmicarg --option"client ntlmv2 auth"=yes

And the command I'm running that defaults to NTLM and doesn't use kerberos is :

./check_wmi_plus.pl -H Host -u domain/user -p password -m checkservice

which results in this error:

UNKNOWN - The WMI query had problems. You might have your username/password wrong or the user's access level is too low. Wmic error text on the next lin.

[librpc/rpc/dcerp util.cdcerpc_pipe_auth_recv()] Failed to bind the uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - NT_STATUS_NET_WRITE_FAULT
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c0000022) in dcerpc_pipe_connect_b_recv
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED -Access denied

When I take a look at the hosts security event logs it shows the user that I tried to run a WMI query against the host with and it does show that it is trying to use NTLM to authenticate against the server instead of kerberos.