Adding a Windows server for monitoring using WMI

[vishal313]

Hi All,

I am trying to add a Windows servers using WMI method in Nagios XI but I am getting a following error:
Non-admin users won't be able to see ANY objects (hosts or services) in Nagios XI, unless they are added as monitoring contacts to these objects or the Can see all hosts and services check-box has been selected for these users under the Edit User page (Security Settings section).

Other words, if you added a contact to a host, this contact will be able to see the IP address of this host. It you don't want certain users to see the IP of a host, don't add these users as a monitoring contacts to the host - simple as that.

Hope this helps.

The service account used for WMI connection has been configured and put into the required User Groups as per the Nagios Document(“Distributed Com Users”, “Event Log Readers”, “Performance Log Users”, and “Performance Monitor
Users” groups).

We tried keeping the password(with special characters) in "usr/local/nagios/etc/resource.cfg" and also tried to change the password(without special characters) and use.
The firewall ports and settings are good.
Please help with your inputs in order to resolve this issue.

[lmiltchev]

I am trying to add a Windows servers using WMI method in Nagios XI but I am getting a following error:
Non-admin users won't be able to see ANY objects (hosts or services) in Nagios XI, unless they are added as monitoring contacts to these objects or the Can see all hosts and services check-box has been selected for these users under the Edit User page (Security Settings section).

Other words, if you added a contact to a host, this contact will be able to see the IP address of this host. It you don't want certain users to see the IP of a host, don't add these users as a monitoring contacts to the host - simple as that.

Hope this helps.

Where are you getting this error? This is my comment to your other post, which has nothing to do with WMI... It has to do with users/contacts access (level of authorization) to various objects. To better understand multi-tenancy in Nagios XI, review the document below:

https://assets.nagios.com/downloads/nag ... ios-XI.pdf

If you are trying to troubleshoot WMI, our KB article on the topic is a good place to start:

https://support.nagios.com/kb/article/n ... g-579.html

If you are still not able to resolve your issue, please describe it IN DETAILS. Show us the error that you are getting in the GUI (screenshot), and the actual command that you are using, run from the command line, along with the output of it.

[vishal313]

Hi lmiltchev,

Thank you for the response. I am getting the error in Nagios XI console, Configuration Wizard.

I tried debugging and could get the follow output:

[nagios@monprdappla006 ~]$ /usr/local/nagios/libexec/check_wmi_plus.pl -H 10.10.195.203 -u svcnagioswmi -p qN=G0\%u~g1F -m checkcpu -w '80' -c '90' --extrawmicarg "--debuglevel=4"
UNKNOWN - The WMI query had problems. You might have your username/password wrong or the user's access level is too low. Wmic error text on the next line.
[param/loadparm.c:587:init_globals()] Initialising global parameters
[param/loadparm.clp_load()] lp_load: refreshing parameters from /dev/null
[param/params.c:556:pm_process()] params.c:pm_process() - Processing configuration file "/dev/null"
[param/loadparm.clp_load()] pm_process() returned Yes
[param/loadparm.clp_add_hidden()] adding hidden service IPC$
[param/loadparm.clp_add_hidden()] adding hidden service ADMIN$
[auth/kerberos/krb5_init_context.c:388:smb_krb5_init_context()] krb5_init_context failed (Invalid argument)
[auth/gensec/gensec.cgensec_register()] GENSEC backend 'sasl-DIGEST-MD5' registered
[auth/auth.c:447:auth_register()] AUTH backend 'winbind_samba3' registered
[auth/auth.c:447:auth_register()] AUTH backend 'winbind' registered
[auth/auth.c:447:auth_register()] AUTH backend 'name_to_ntstatus' registered
[auth/auth.c:447:auth_register()] AUTH backend 'fixed_challenge' registered
[auth/auth.c:447:auth_register()] AUTH backend 'unix' registered
[auth/auth.c:447:auth_register()] AUTH backend 'anonymous' registered
[auth/auth.c:447:auth_register()] AUTH backend 'sam' registered
[auth/auth.c:447:auth_register()] AUTH backend 'sam_ignoredomain' registered
[auth/gensec/gensec.cgensec_register()] GENSEC backend 'krb5' registered
[auth/gensec/gensec.cgensec_register()] gensec subsystem fake_gssapi_krb5 is disabled
[auth/gensec/gensec.cgensec_register()] GENSEC backend 'schannel' registered
[auth/gensec/gensec.cgensec_register()] GENSEC backend 'spnego' registered
[auth/gensec/gensec.cgensec_register()] gensec subsystem gssapi_spnego is disabled
[auth/gensec/gensec.cgensec_register()] GENSEC backend 'gssapi_krb5' registered
[auth/gensec/gensec.cgensec_register()] GENSEC backend 'gssapi_krb5_sasl' registered
[auth/gensec/gensec.cgensec_register()] GENSEC backend 'ntlmssp' registered
[lib/com/dcom/main.c:528:dcom_determine_rpc_binding()] Using binding ncacn_ip_tcp:10.10.195.203
[librpc/rpc/dcerpc_connect.c:513:continue_map_binding()] Mapped to DCERPC endpoint 135
[lib/com/dcom/main.c:413:determine_rpc_binding_continue2()] dcerpc_ndr_request_recv returned NT_STATUS_OK
[lib/com/dcom/main.c:417:determine_rpc_binding_continue2()] IObjectExporter::ServerAlive returned NT_STATUS_OK
[auth/gensec/gensec_gssapi.c:304:gensec_gssapi_client_start()] Cannot do GSSAPI to an IP address
[auth/gensec/gensec.c:606:gensec_start_mech()] Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
[auth/ntlmssp/ntlmssp_client.c:128:ntlmssp_client_challenge()] Got challenge flags:
[auth/ntlmssp/ntlmssp.c:72:debug_ntlmssp_flags()] Got NTLMSSP neg_flags=0x62898205
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_CHAL_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[auth/ntlmssp/ntlmssp_client.c:242:ntlmssp_client_challenge()] NTLMSSP: Set final flags:
[auth/ntlmssp/ntlmssp.c:72:debug_ntlmssp_flags()] Got NTLMSSP neg_flags=0x60088205
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[librpc/rpc/dcerpc_util.cdcerpc_pipe_auth_recv()] Failed to bind to uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - NT_STATUS_NET_WRITE_FAULT
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c0000022) in dcerpc_pipe_connect_b_recv
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied


Please let me know if you need any more information from my side.

[lmiltchev]

First off, running a command like that won't work. You have bunch of special characters in the password. Try wrapping the password in single quotes as such:

Code: Select all

/usr/local/nagios/libexec/check_wmi_plus.pl -H 10.10.195.203 -u svcnagioswmi -p 'qN=G0\%u~g1F' -m checkcpu -w '80' -c '90'

If the command above works, then we can proceed with fixing the issue with the wizard. Instead of using a username and a password in the wizard, try using a "auth" file. To see how to do this, review the "Authentication File" section in the document below:

https://assets.nagios.com/downloads/nag ... ios-XI.pdf

Basically, you would need to create a auth file, e.g. /usr/local/nagios/etc/wmi_auth.txt with your credentials:

Code: Select all

username=svcnagioswmi
password=qN=G0\%u~g1F

Make sure the file is readable by nagios user/group. Next, run the wizard. Clear the username and password fields in Step 1, and copy/paste the path to the auth file in the "Auth File" field.

Let us know if this worked.

[vishal313]

Hi,

We tried putting the password in quotes '' but still the same error appears. Please find the below output:
[root@monprdappla006 ~]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 10.10.195.203 -u svcnagioswmi -p 'qN=G0\%u~g1F' -m checkcpu -w '80' -c '90'
UNKNOWN - The WMI query had problems. You might have your username/password wrong or the user's access level is too low. Wmic error text on the next line.
[librpc/rpc/dcerpc_util.cdcerpc_pipe_auth_recv()] Failed to bind to uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - NT_STATUS_NET_WRITE_FAULT
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c0000022) in dcerpc_pipe_connect_b_recv
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

I tried adding the domain information to user details and it still failed:
[root@monprdappla006 etc]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 10.10.195.203 -u OCAUS01\svcnagioswmi -p 'qN=G0\%u~g1F' -m checkcpu -w '80' -c '90'
UNKNOWN - The WMI query had problems. You might have your username/password wrong or the user's access level is too low. Wmic error text on the next line.
[librpc/rpc/dcerpc_util.cdcerpc_pipe_auth_recv()] Failed to bind to uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - NT_STATUS_NET_WRITE_FAULT
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c0000022) in dcerpc_pipe_connect_b_recv
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied
[root@monprdappla006 etc]# /usr/local/nagios/libexec/check_wmi_plus.pl -H 10.10.195.203 -u OCAUS01/svcnagioswmi -p 'qN=G0\%u~g1F' -m checkcpu -w '80' -c '90'
UNKNOWN - Plugin Timed out (15 sec). There are multiple possible reasons for this, some of them include - The host 10.10.195.203 might just be really busy, it might not even be running Windows.

The timeout was increased to 120 seconds, but the error persists.
Please suggest.


Regards
Vishal Dhote

[vishal313]

There are few more cases now:
1. We found the issue is appearing on certain set of servers.
2. We could successfully connect on one server and got the output for checkcpu via command line. For the same server, when we tried to add the server via Configuration Wizard, we are getting an error. I have attached the screenshot of the same. This is very strange. Please share some inputs on this. Note : The server we are trying to connect is the same and the user account is same too for both the cases.
3. On the servers, where we are neither able to connect via command line nor with Configuration Wizard, the user account had local admin privileges. Still the connection and output was failing as shared earlier.

These different cases are going in different directions and not allowing to focus at a single issue.


Regards
Vishal Dhote

[lmiltchev]

These different cases are going in different directions and not allowing to focus at a single issue.

You are correct. In order to focus on a single issue, we would need to be working on a single issue. We cannot troubleshoot issues on a few different Widows servers, which may or may not have a wmi user configured in the same way... We don't even know if these are the same type of servers, e.g. Windows Server 2003, 2008, 2012, 2016, etc.

Let's start with the one that you can connect to.

2. We could successfully connect on one server and got the output for checkcpu via command line. For the same server, when we tried to add the server via Configuration Wizard, we are getting an error. I have attached the screenshot of the same. This is very strange. Please share some inputs on this.

Show the checkcpu command run from the command line, along with the output of it.
Example with username/password:

Code: Select all

/usr/local/nagios/libexec/check_wmi_plus.pl -H <client ip> -u svcnagioswmi -p 'qN=G0\%u~g1F' -m checkcpu -w '80' -c '90'

Example with auth file:

Code: Select all

/usr/local/nagios/libexec/check_wmi_plus.pl -H <client ip> -A  /usr/local/nagios/etc/wmi_auth.txt -m checkcpu -w '80' -c '90'

If these command work for you, there is not reason why the wizard wouldn't, provided you used the "auth" file option in Step 1, NOT username/password option.

[vishal313]

Hi,

We somehow could resolve the command line error. I could get the output for CPU and Memory stats using command line for the Windows server. But while adding the server in Nagios XI console, I am getting an error. I have attached the screenshot of the error. Please help with your suggestion.

Note : The service account used has all relevant privileges needed as per the Nagios Documents and troubleshooting guide.


Regards
Vishal Dhote

[lmiltchev]

This error:

NTSTATUS: NT code 0x80041003 - NT code 0x80041003

is the same as the one, described under the Additional Permissions section of the KB article below:

https://support.nagios.com/kb/article/n ... g-579.html

Follow the instructions from our documentation closely, so that you could resolve the issue.