NSClient++ Help (#1) - How to use the check_ad --member (#219) - Message List
I'm using Nagios to monitor some AD server, now I'am trying to use check_nrpe -H IP -c check_ad(check_ad --ad) is ok ,but I use check_ad --member is error ,it told me "[WARNING] You are logged on as a local user. (NT AUTHORITYSYSTEM) "What`s the problem?
best Regards, raymax
-
Message #622
sounds like you need to change the service "run as" user for that particular script.
MickeM
mickem08/11/08 08:29:19 (5 years ago)-
Message #623
In server local c:\check_ad --ad & c:\check_ad --member all are ok,but in remote Nagios Server used check_nrpe to check_ad --ad was ok,check_ad --member was error... and said that problem.
best Regards, raymax
raymax08/11/08 09:07:35 (5 years ago)-
Message #624
yes... and as I said I think you need to modify the user running the service (NSClient++) to run as a user with specific right, I don't know the script check_ad so I don't know what is required. But there is no way to impersonate another user from NSClient++ (apart from via an external script)
MickeM
mickem08/11/08 10:07:29 (5 years ago)-
Message #625
Thank you
raymax08/11/08 10:16:22 (5 years ago)-
Message #626
if you figure out which privileges are required feel free to let me know...
MickeM
mickem08/11/08 10:27:20 (5 years ago)-
Message #627
ok~
raymax
raymax08/11/08 10:44:05 (5 years ago)-
Message #639
as you said , to modify the user running the NSclient to run as a domain admin account.
raymax08/14/08 13:28:54 (5 years ago)-
Message #640
ouch!!!!
I would *NEVER* do that, sounds extremely dangerous :) Is it possible to just add the exact privileges you need to a specific user and get it working?
MickeM
mickem08/14/08 13:55:55 (5 years ago)-
Message #644
but the manual said check_ad --member must be run by an account with domain admin privileges. http://www.itefix.no/i2/node/6
raymax08/15/08 02:46:26 (5 years ago)-
Message #645
Yes and I am just saying what I think (I did not write that script). If you run NSClient++ (or other client for that matter) as domain admin you are opening up your server to anyone with access to it to run (potentially) harmful scripts and what not on your server.
If you do this be *very* *very *very* thorough with you NSClient++ setup and make sure no one can exploit this "potential hole" you have opened up. NSClient++ (and all other clients for that matter) are (unfortunately) dependent upon the "regular" nagios transports such as NRPE, NSClient, NSCA and they do not support strong (or even weak) authentication so you have to assume "evil users" are also using it.
But as I said I wouldn't do it... but than... I am paranoid...
In future versions there will be support for impersonation so you can write scripts under another user but that might be a year or so off since I have other things that need be done before that.
Michael Medin
mickem08/15/08 06:54:35 (5 years ago)-
Message #646
A follow up is that NSCA is probably the "safest" (in client-side terms) solution for using this, so if you really have to do it you might wanna do two things:
- disable NRPE (use NSCA)
- make sure that any external definitions does not use arguments.
Michael Medin
mickem08/15/08 06:58:23 (5 years ago)
-
-
-
-
-
-
-
-
-
-
