Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Reports PDF generator fails for non-local accounts

https://support.nagios.com/forum/viewtopic.php?t=64018

Page 1 of 2

Reports PDF generator fails for non-local accounts

Posted: Thu Nov 18, 2021 11:25 am
by TethiS
Hi,

I have a bit of an issue with Reports PDF generation when the connected user is anything else than nagiosadmin.
As nagiosadmin everything works as expected (pdf is created and listed)

As another Admin (or User), with Admin role, the PDF generation fails as it is trying to access itself as plain http://localhost/nagiosxi.. (which is not available, of course):
error is:

Code: Select all

Failed to create PDF
Verify that your Nagios XI server can connect to the URL:
http://localhost/nagiosxi/reports/availability.php?reportperiod=last24hours&startdate=&enddate=&host=&service=&hostgroup=&servicegroup=&advanced=0&assumeinitialstates=yes&assumestateretention=yes&assumestatesduringdowntime=yes&includesoftstates=no&assumedhoststate=3&assumedservicestate=6&timeperiod=&token=bb595e55312dd40e5b2e688e2a23d399c2644da3&locale=en_US&records=100000&mode=getreport&hideoptions=1&export=1&old_browser_compat=1
In the ssl_request_log i see that for nagiosadmin user the request is seen as coming from the IP of the workstation:

Code: Select all

10.64.6.129 - - [19/Nov/2021:00:13:48 +0800] "GET /nagiosxi/reports/availability.php?reportperiod=last24hours&startdate=&enddate=&host=&service=&hostgroup=&servicegroup=&advanced=0&assumeinitialstates=yes&assumestateretention=yes&assumestatesduringdowntime=yes&includesoftstates=no&assumedhoststate=3&assumedservicestate=6&timeperiod=&mode=getreport HTTP/1.1" 200 7388

, while as for other user (AD user, connected from same workstation, with Admin role), the request is seen as coming from 127.0.0.1 (localhost, hence the error):

Code: Select all

127.0.0.1 - - [19/Nov/2021:00:13:59 +0800] "GET /nagiosxi/includes/js/jquery/jquery-1.12.4.min.js?1599143639 HTTP/1.1" 200 97179
127.0.0.1 - - [19/Nov/2021:00:13:59 +0800] "GET /nagiosxi/reports/availability.php?reportperiod=last24hours&startdate=&enddate=&host=&service=&hostgroup=&servicegroup=&advanced=0&assumeinitialstates=yes&assumestateretention=yes&assumestatesduringdowntime=yes&includesoftstates=no&assumedhoststate=3&assumedservicestate=6&timeperiod=&token=d32f8546ee46a23cb0cd6fe70052879b77da92a9&locale=en_US&records=100000&mode=getreport&hideoptions=1&export=1&old_browser_compat=1 HTTP/1.1" 200 22785
var/wkhtmltox.log shows an incomplete log when failling:

Code: Select all

/usr/bin/wkhtmltopdf --lowquality --no-outline --footer-spacing 3 --margin-bottom 15mm --footer-font-size 9 --footer-right "Page [page] of [toPage]" --footer-left "2021-11-19 01:24:54" --no-stop-slow-scripts 'http://localhost/nagiosxi/reports/availability.php?reportperiod=last24hours&startdate=&enddate=&host=&service=&hostgroup=&servicegroup=&advanced=0&assumeinitialstates=yes&assumestateretention=yes&assumestatesduringdowntime=yes&includesoftstates=no&assumedhoststate=3&assumedservicestate=6&timeperiod=&token=06f57d6e3e1af9a1502e95c3d553ed636ef2b3f7&locale=en_US&records=100000&mode=getreport&hideoptions=1&export=1&old_browser_compat=1' '/usr/local/nagiosxi/tmp/exportreport-SGET00004-61968c6623e14'
Loading pages (1/6)
[>                                                           ] 0%^M[======>                                                     ] 10%^MWarning: SSL error ignored
[============>                                               ] 20%^MWarning: SSL error ignored
[=================>                                          ] 29%^M[======================>                                     ] 37%^M[======================>                                     ] 37%^MWarning: SSL error ignored
[=======================>                                    ] 39%^MWarning: SSL error ignored
Warning: SSL error ignored
[=========================>                                  ] 42%^MWarning: SSL error ignored
[==========================>                                 ] 44%^M[===========================>                                ] 46%^M[=============================>                              ] 49%^Mload glyph failed err=24 face=0x4be7830, glyph=0
QFontEngine: Glyph neither outline nor bitmap format=0
load glyph failed err=24 face=0x4be7830, glyph=0
QFontEngine: Glyph neither outline nor bitmap format=0
load glyph failed err=24 face=0x4be7830, glyph=0
QFontEngine: Glyph neither outline nor bitmap format=0
load glyph failed err=24 face=0x4be7830, glyph=0
QFontEngine: Glyph neither outline nor bitmap format=0
[================================================>           ] 80%^M[=================================================>          ] 82%^M[======================================================>     ] 90%^M
, compared to a fulll log when correctly generating the report:

Code: Select all

/usr/bin/wkhtmltopdf --lowquality --no-outline --footer-spacing 3 --margin-bottom 15mm --footer-font-size 9 --footer-right "Page [page] of [toPage]" --footer-left "2021-11-19 01:23:16" --no-stop-slow-scripts 'http://localhost/nagiosxi/reports/availability.php?reportperiod=last24hours&startdate=&enddate=&host=&service=&hostgroup=&servicegroup=&advanced=0&assumeinitialstates=yes&assumestateretention=yes&assumestatesduringdowntime=yes&includesoftstates=no&assumedhoststate=3&assumedservicestate=6&timeperiod=&token=28a325deca02ee6719d654492941040d11972759&locale=en_US&records=100000&mode=getreport&hideoptions=1&export=1&old_browser_compat=1' '/usr/local/nagiosxi/tmp/exportreport-nagiosadmin-61968c0499df3'
Loading pages (1/6)
[>                                                           ] 0%^M[======>                                                     ] 10%^MWarning: SSL error ignored
[============>                                               ] 20%^MWarning: SSL error ignored
[======================>                                     ] 37%^M[======================>                                     ] 37%^M[=======================>                                    ] 39%^MWarning: SSL error ignored
Warning: SSL error ignored
Warning: SSL error ignored
Warning: SSL error ignored
[========================>                                   ] 41%^M[===========================>                                ] 45%^M[============================>                               ] 48%^M[==============================>                             ] 50%^Mload glyph failed err=24 face=0x53acc80, glyph=0
QFontEngine: Glyph neither outline nor bitmap format=0
load glyph failed err=24 face=0x53acc80, glyph=0
QFontEngine: Glyph neither outline nor bitmap format=0
[=================================>                          ] 55%^M[===================================================>        ] 85%^M[======================================================>     ] 90%^M[============================================================] 100%^MCounting pages (2/6)                         
[============================================================] Object 1 of 1^MResolving links (4/6)
[============================================================] Object 1 of 1^MLoading headers and footers (5/6)
Printing pages (6/6)
[>                                                           ] Preparing^M[============================================================] Page 1 of 1^MDone



Could let me know where to look to try find the issue?

Thanks!
Sebastian

Re: Reports PDF generator fails for "no nagiosadmin" Admins/

Posted: Fri Nov 19, 2021 10:39 am
by ssax
Please PM me a copy of your profile.zip, you can download it from Admin > System Profile by clicking the Download Profile button.

Attach these files as well:

Code: Select all

/etc/php.ini
/usr/local/nagiosxi/var/load_url.log
/usr/local/nagiosxi/var/wkhtmltox.log
See here as well:

https://support.nagios.com/kb/article/n ... s-829.html

Re: Reports PDF generator fails for "no nagiosadmin" Admins/

Posted: Mon Nov 22, 2021 3:25 am
by TethiS
hi!

The files were sent inside a PM.

Re: Reports PDF generator fails for "no nagiosadmin" Admins/

Posted: Mon Nov 22, 2021 11:02 am
by kfanselow
Hi TethiS,

Unfortunately Sean is out today - could you forward the profile to me as well so I can take a look as well ?

Thanks and Best Regards,
Keith

Re: Reports PDF generator fails for "no nagiosadmin" Admins/

Posted: Wed Nov 24, 2021 1:48 pm
by TethiS
Hi,

I have forwarded the files yesterday. Did you get any chance to take a look at the issue?

Thanks!

Re: Reports PDF generator fails for "no nagiosadmin" Admins/

Posted: Wed Nov 24, 2021 5:55 pm
by kfanselow
Hi Sebastian,

I'm sorry for the delay in my reply. Thank you - the files have been received and are available to the support team. It looks like there are a couple of things that may be impacting the report generation. First let's have you increase some of the limits defined in your php.ini file:

max_execution_time = 300
max_input_time = 180
max_input_vars = 50000
memory_limit = 512M

Could you also provide the output from the following commands ?

Code: Select all

# netstat -na | grep LIST | grep -i tcp

Code: Select all

# ss -naut

Thanks and Best Regards,
Keith

Re: Reports PDF generator fails for "no nagiosadmin" Admins/

Posted: Thu Nov 25, 2021 5:47 am
by TethiS
HI,

I've modified the php.ini with the suggested values. The behaviour is the same.
I've noticed an abrt alert about this issue. If you want I can forward the whole diagnostic folder (is talking about a segfault in the process of generating pdf from html

Code: Select all

var_log_messages:Nov 18 21:51:24 vlrpsysmnt01 kernel: wkhtmltopdf[6869]: segfault at 50 ip 0000000000aa1174 sp 00007ffca533dee0 error 4 in wkhtmltopdf[400000+2206000]
).

Code: Select all

netstat -na | grep LIST | grep -i tcp
tcp        0      0 0.0.0.0:5665            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:199           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:46413         0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN
tcp6       0      0 :::5665                 :::*                    LISTEN
tcp6       0      0 :::5666                 :::*                    LISTEN
tcp6       0      0 :::139                  :::*                    LISTEN
tcp6       0      0 :::2224                 :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 :::445                  :::*                    LISTEN

Code: Select all

ss -naut
Netid State      Recv-Q Send-Q                     Local Address:Port                                    Peer Address:Port
udp   UNCONN     0      0                                      *:5353                                               *:*
udp   UNCONN     0      0                           10.80.38.185:5404                                               *:*
udp   UNCONN     0      0                         239.192.104.46:5405                                               *:*
udp   UNCONN     0      0                           10.80.38.185:5405                                               *:*
udp   UNCONN     0      0                                      *:54911                                              *:*
udp   UNCONN     0      0                          192.168.122.1:53                                                 *:*
udp   UNCONN     0      0                               *%virbr0:67                                                 *:*
udp   UNCONN     0      0                                      *:161                                                *:*
udp   UNCONN     0      0                                      *:162                                                *:*
udp   UNCONN     0      0                              127.0.0.1:323                                                *:*
udp   UNCONN     0      0                                  [::1]:323                                             [::]:*
tcp   LISTEN     0      5                                      *:5665                                               *:*
tcp   LISTEN     0      128                            127.0.0.1:199                                                *:*
tcp   LISTEN     0      50                                     *:3306                                               *:*
tcp   LISTEN     0      50                                     *:139                                                *:*
tcp   LISTEN     0      10                             127.0.0.1:46413                                              *:*
tcp   LISTEN     0      128                                    *:80                                                 *:*
tcp   LISTEN     0      5                          192.168.122.1:53                                                 *:*
tcp   LISTEN     0      128                                    *:22                                                 *:*
tcp   LISTEN     0      128                            127.0.0.1:631                                                *:*
tcp   LISTEN     0      128                                    *:443                                                *:*
tcp   LISTEN     0      50                                     *:445                                                *:*
tcp   SYN-SENT   0      1                           10.80.38.185:44138                                   10.80.31.203:5640
tcp   ESTAB      0      0                           10.80.38.185:52966                                   10.80.31.197:443
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.44:59515
tcp   ESTAB      0      0                           10.80.38.185:47566                                   10.80.38.172:5666
tcp   CLOSE-WAIT 32     0                           10.80.38.185:46322                                   10.80.38.185:2224
tcp   FIN-WAIT-2 0      0                           10.80.38.200:443                                      10.64.6.129:57554
tcp   SYN-SENT   0      1                           10.80.38.185:33890                                   10.80.31.201:5640
tcp   FIN-WAIT-2 0      0                           10.80.38.200:443                                      10.64.6.129:64985
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                      10.0.145.44:62944
tcp   ESTAB      0      0                           10.80.38.185:22                                       10.64.6.129:58919
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.44:52857
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.44:52856
tcp   ESTAB      0      0                              127.0.0.1:57436                                      127.0.0.1:46413
tcp   ESTAB      0      0                           10.80.38.185:55446                                   10.80.38.130:5666
tcp   ESTAB      0      0                           10.80.38.185:48872                                   10.80.38.141:5666
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                      10.0.145.44:62969
tcp   SYN-SENT   0      1                           10.80.38.185:48626                                   10.80.31.204:5640
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.47:51021
tcp   ESTAB      0      0                           10.80.38.185:33522                                   10.80.38.115:5666
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.47:51014
tcp   FIN-WAIT-2 0      0                           10.80.38.200:443                                     10.80.38.171:55181
tcp   CLOSE-WAIT 32     0                           10.80.38.185:41056                                   10.80.38.185:2224
tcp   SYN-SENT   0      1                           10.80.38.185:48204                                   172.18.9.140:5508
tcp   ESTAB      0      0                           10.80.38.185:54941                                   10.80.38.186:7788
tcp   CLOSE-WAIT 32     0                           10.80.38.185:51592                                   10.80.38.185:2224
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.44:59521
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.47:51022
tcp   CLOSE-WAIT 32     0                           10.80.38.185:45010                                   10.80.38.186:2224
tcp   CLOSE-WAIT 32     0                           10.80.38.185:34478                                   10.80.38.186:2224
tcp   CLOSE-WAIT 32     0                           10.80.38.185:39740                                   10.80.38.186:2224
tcp   FIN-WAIT-2 0      0                           10.80.38.200:443                                      10.64.6.129:60243
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                      10.0.145.44:54014
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.44:52863
tcp   SYN-SENT   0      1                           10.80.38.185:52064                                   10.80.31.205:5640
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                      10.0.145.44:62949
tcp   ESTAB      0      0                           10.80.38.185:22                                       10.64.6.129:58920
tcp   ESTAB      0      0                           10.80.38.200:443                                       10.64.4.44:52893
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.44:52871
tcp   ESTAB      0      0                           10.80.38.185:52738                                   10.80.31.197:443
tcp   ESTAB      0      0                           10.80.38.185:56540                                   10.80.38.121:5666
tcp   ESTAB      0      0                              127.0.0.1:46413                                      127.0.0.1:57434
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                      10.0.145.44:62937
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                      10.0.145.44:62938
tcp   ESTAB      0      0                           10.80.38.185:36732                                   10.80.38.146:5666
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.47:51011
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                      10.0.145.44:62958
tcp   FIN-WAIT-2 0      0                           10.80.38.200:443                                      10.64.6.129:62128
tcp   ESTAB      0      0                           10.80.38.200:443                                       10.64.4.44:52894
tcp   ESTAB      0      0                           10.80.38.185:7788                                    10.80.38.186:39500
tcp   FIN-WAIT-2 0      0                           10.80.38.200:443                                      10.64.6.129:52189
tcp   ESTAB      0      0                           10.80.38.185:47714                                   10.80.38.172:5666
tcp   CLOSE-WAIT 32     0                           10.80.38.185:50336                                   10.80.38.186:2224
tcp   ESTAB      0      0                           10.80.38.185:43634                                   10.80.38.147:5666
tcp   FIN-WAIT-2 0      0                           10.80.38.200:443                                      10.64.6.129:57720
tcp   SYN-SENT   0      1                           10.80.38.185:46582                                   10.80.31.202:5640
tcp   ESTAB      0      0                              127.0.0.1:46413                                      127.0.0.1:57436
tcp   TIME-WAIT  0      0                           10.80.38.185:54988                                     10.80.30.6:443
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                      10.0.145.44:62950
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.44:52872
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.47:51012
tcp   FIN-WAIT-2 0      0                           10.80.38.200:443                                     10.80.38.171:55179
tcp   ESTAB      0      0                           10.80.38.185:38720                                   10.80.38.127:5666
tcp   ESTAB      0      0                              127.0.0.1:57434                                      127.0.0.1:46413
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.44:59522
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                      10.0.145.44:62943
tcp   TIME-WAIT  0      0                           10.80.38.185:32898                                     10.80.3.90:5508
tcp   CLOSE-WAIT 32     0                           10.80.38.185:56918                                   10.80.38.185:2224
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.44:59516
tcp   ESTAB      0      0                           10.80.38.185:35478                                     10.80.3.90:5508
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                       10.64.4.44:52862
tcp   SYN-SENT   0      1                           10.80.38.185:60492                                 34.236.161.191:443
tcp   FIN-WAIT-2 0      0                           10.80.38.200:443                                     10.80.38.171:55180
tcp   TIME-WAIT  0      0                           10.80.38.200:443                                      10.0.145.44:62959
tcp   ESTAB      0      0                           10.80.38.185:48824                                   10.80.38.141:5666
tcp   SYN-SENT   0      1                           10.80.38.185:46262                                   10.80.31.200:5640
tcp   LISTEN     0      5                                   [::]:5665                                            [::]:*
tcp   LISTEN     0      128                                 [::]:5666                                            [::]:*
tcp   LISTEN     0      50                                  [::]:139                                             [::]:*
tcp   LISTEN     0      128                                 [::]:2224                                            [::]:*
tcp   LISTEN     0      128                                 [::]:22                                              [::]:*
tcp   LISTEN     0      50                                  [::]:445                                             [::]:*
tcp   TIME-WAIT  0      0                  [::ffff:10.80.38.185]:5666                           [::ffff:10.80.38.185]:60086
Remember that this is still working well ONLY when using nagiosadmin.


EDIT:
I created another LOCAL user (not AD) and did try the Report generation with it. It works as expected !.
So, as an added diagnostic notice, this problem is happening only for accounts imported from Active Directory

Re: Reports PDF generator fails for non-local accounts

Posted: Mon Nov 29, 2021 2:42 pm
by ssax
Go to Admin > Manage Users, edit one of the AD users, at the top, change the Username to ALL LOWERCASE, and click the Update User button.

Now Apply Configuration.

Now logout of XI and log back in as that user (using all lowercase for the username when logging in), now try the report, if it works you can either upgrade to the latest to resolve the issue or do the same with the other AD users.

Re: Reports PDF generator fails for non-local accounts

Posted: Tue Nov 30, 2021 3:33 am
by TethiS
HI saax.

This solved the issue. Renaming the users to lowercase was enough, no need to re-apply/restart config.

Thanks!

Re: Reports PDF generator fails for non-local accounts

Posted: Tue Nov 30, 2021 12:33 pm
by ssax
That's great to hear! Let us know when we're okay to lock the topic and mark it as resolved.

EDIT: This was fixed in XI 5.8.5:
5.8.5 - 07/15/2021

Fixed issue when generating PDFs (and auth tokens in general) on usernames with uppercase letters in them [TPS#15542] -JO
Taken from here:

https://www.nagios.com/downloads/nagios-xi/change-log/
All times are UTC-05:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited