Nagios Support Forum

I am being asked if the local user nagios used by Nagios XI, NCPA agents and NRPE agents could be an AD account instead of a local account on the servers, and what drawbacks using the AD account may introduce.

If the user does need to be a local account, what are the drawbacks of using /sbin/nologin for this user on the agent machines?

Really good question.

If you used an AD account and AD was not available or a network prevented LDAP lookups for some reason, then Nagios XI/NCPA/NRPE may not work, so you'd have to have some kind of caching (nscd) working well.

As for "/sbin/nologin", that would not work, since Nagios XI/NRPE, and often NCPA are executing scripts in subshells.

Though with some thoughtful code enhancements (not sure how easily), these daemons could be updated to use privilege separation to do most of their work as one user, then execute scripts as another user.

There have been times I have wanted or had to run NRPE as some application user, in order to access data from the application I was checking, but I came up with a little better way and that is to write helper scripts that extract whatever I needed to from the application as the application user, then write files in a shared directory for the NRPE plugin to pick up.

Thanks @rexconsulting, that explains it nicely.

Hello Scott,

Just to confirm, what rexconsulting is the correct answer? I only ask you to confirm because I am being asked for the official recommendation from Nagios.

Also, what is the recommendation, sticking with a local account or using an AD account?

If we did use a local account, what would be the impact of adding a password to the account?

hbouma wrote:Also, what is the recommendation, sticking with a local account or using an AD account?

You can use either, the only disadvantage to using an AD account is the setup and the possibility of the AD server being down.

hbouma wrote:If we did use a local account, what would be the impact of adding a password to the account?

There is no impact, this is perfectly acceptable.

I have to ask tho: Why would you want to set a password for the nagios account? Passwords make little sense. Basically having a password says, "anyone can anonymously access this account if they know the password". It's a much better strategy to use sudo, which logs who does what when.

These questions are being asked from far above my head. I am making the same arguments, but still need to have the answers for those asking the questions.

rexconsulting wrote:I have to ask tho: Why would you want to set a password for the nagios account? Passwords make little sense. Basically having a password says, "anyone can anonymously access this account if they know the password". It's a much better strategy to use sudo, which logs who does what when.

This is true.