Active Directory Integration issue

[yancy]

kelewis,

Can you ping your Base DN as defined in your config. for example, if my Base DN is:
DC=neptune,DC=net

ping neptune.net

Regards,

-Yancy

[kelewis]

Code: Select all

[root@nagios-adc ~]# ping dhss.ak.local
PING dhss.ak.local (146.63.206.85) 56(84) bytes of data.
64 bytes from hssfaidc1.dhss.ak.local (146.63.206.85): icmp_seq=1 ttl=121 time=35.6 ms
64 bytes from hssfaidc1.dhss.ak.local (146.63.206.85): icmp_seq=2 ttl=121 time=42.1 ms
64 bytes from hssfaidc1.dhss.ak.local (146.63.206.85): icmp_seq=3 ttl=121 time=21.9 ms
64 bytes from hssfaidc1.dhss.ak.local (146.63.206.85): icmp_seq=4 ttl=121 time=37.3 ms
64 bytes from hssfaidc1.dhss.ak.local (146.63.206.85): icmp_seq=5 ttl=121 time=28.2 ms
64 bytes from hssfaidc1.dhss.ak.local (146.63.206.85): icmp_seq=6 ttl=121 time=26.6 ms
^C
--- dhss.ak.local ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5691ms
rtt min/avg/max/mdev = 21.941/32.000/42.160/6.955 ms

[yancy]

kelewis,

I see multiple subnets here:
hssancdc1.dhss.ak.local (10.2.189.3)
dhss.ak.local (146.63.206.85)

Which DNS are you using in the configuration? Try updating your resolve.conf to point to only the the IP of the Domain Controller you've defined.

Thanks,

-Yancy

[kelewis]

I think I know what's going on. The IP response from DNS for dhss.ak.local will cycle through 8 or 9 different addresses, as those are all the domain controllers on the network (which is spread over a large area). But I only want it to connect to the DC that is local, not any of the other DCs, as they are in areas that aren't very well connected to the WAN. So primary DNS server and the DC that I have listed are the same server, which is the one that I want to have Nagios run any AD checks against.

[yancy]

kelewis,

instead of using dhss.ak.local, point /etc/resolv to hssfaidc1.dhss.ak.local for example. Then in the components config specify the same hssfaidc1.dhss.ak.local.

Regards,

-Yancy

[kelewis]

See, I don't want this authenticating to a server that is over 400 miles away...i'm pretty serious that there are DCs all over the place because of the physical vastness of the WAN. I want to authenticate to hssancdc1 (which is in Anchorage, AK) and not hssfaidc1 (which is in Fairbanks, AK), on top of the fact that the hssancdc1 is located in the same room as the Nagios server. If it's a DNS issue such as that, then shouldn't I be able to add dhss.ak.local in the hosts file and point it at the IP of hssancdc1 and that would fix everything?

[sreinhardt]

I think the main question is why you are attempting to authenticate with the TDL? If you were instead to specify a list of comma separated IPs or Hostnames, it would limit to the ones that actually wish to authenticate with and still allow redundancy if one goes down. I would however strongly disagree with any altering of the /etc/hosts file unless absolutely necessary. If you can simply use a hostname in the plugin and allow it to correctly resolve dns that would be an ideal solution.

[kelewis]

Ok, to be a bit more specific...

I am located in Anchorage, AK. We have domain controllers all over the state, due to the crappy connections that we have to deal with (some are on the back side of a saturated 56k connection to the WAN), we put a DC in that location so that those users aren't trying to authenticate to a DC across that crappy connection. All of our DCs have DNS running on them, also to help remove that traffic from the WAN connection if possible.

So as you can see, I don't want Nagios to be authenticating to the outlying DCs. DNS is resolving EVERYTHING as it should be. The question is why is it trying to go out to opendns.org when I put in the FQDN of the DC in there, but it works like a champ if I use the IP address of the DC...

[scottwilkerson]

...
The question is why is it trying to go out to opendns.org when I put in the FQDN of the DC in there...

Can you post the output of the following

Code: Select all

cat /etc/resolv.conf

If the output has any lines like

Code: Select all

nameserver 208.67.222.222
nameserver 208.67.220.220

That would be your problem

[kelewis]

Code: Select all

[root@nagios-adc ~]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search SSG5-Serial
nameserver 10.2.189.3
nameserver 10.4.189.11