[SOLVED] What's wrong with my configuration on nagios and kerberos?
by camerabambai from LinuxQuestions.org on (#6CN85)
I want to setup a service to check the kdc with nagios.
With my kdc (samba4) I create the user using this script
Code: #!/bin/bash
USER=nagioskerberos
DOMAIN=myhost.priv
SERVICE=nagioskerberos
FQDN=nagios1.myhost.priv
samba-tool user delete $USER
samba-tool user create $USER --random-password
samba-tool user setexpiry $USER --noexpiry
net ads enctypes set $USER 16
samba-tool spn add $SERVICE/$FQDN $USER
samba-tool domain exportkeytab $USER.keytab --principal=$SERVICE/$FQDNthen I copy the keytab on nagios server and restart service
Code: scp nagioskerberos.keytab nagios1:
ssh nagios1
systemctl restart nagiosthe permissions are ok
Code:ls -lhd /etc/nagios/nagios.*tab
-rw------- 1 nagios nagios 101 Jul 2 02:25 /etc/nagios/nagios.keytabthe keys seems ok
Code:klist -ke /etc/nagios/nagios.keytab
Keytab name: FILE:/etc/nagios/nagios.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 nagioskerberos/nagios1.myhost.priv@MYHOST.PRIV (aes256-cts-hmac-sha1-96)But when I try to check...
Code: ./check_kdc -k /etc/nagios/nagios.keytab -p nagioskerberos/nagios1.myhost.priv@MYHOST.PRIV -H samba4 -P 88
CRITICAL Getting Kerberos ticket: kinit: Client 'nagioskerberos/nagios1.myhost.priv@MYHOST.PRIV' not found in Kerberos database while getting initial credentials (credentials for nagioskerberos/nagios1.myhost.priv@MYHOST.PRIV from /etc/nagios/nagios.keytab)Why?
This is the krb5.conf for server samba4 and server nagios
Code: [libdefaults]
default_realm = MYHOST.PRIV
dns_lookup_realm = true
dns_lookup_kdc = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_encryptes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
With my kdc (samba4) I create the user using this script
Code: #!/bin/bash
USER=nagioskerberos
DOMAIN=myhost.priv
SERVICE=nagioskerberos
FQDN=nagios1.myhost.priv
samba-tool user delete $USER
samba-tool user create $USER --random-password
samba-tool user setexpiry $USER --noexpiry
net ads enctypes set $USER 16
samba-tool spn add $SERVICE/$FQDN $USER
samba-tool domain exportkeytab $USER.keytab --principal=$SERVICE/$FQDNthen I copy the keytab on nagios server and restart service
Code: scp nagioskerberos.keytab nagios1:
ssh nagios1
systemctl restart nagiosthe permissions are ok
Code:ls -lhd /etc/nagios/nagios.*tab
-rw------- 1 nagios nagios 101 Jul 2 02:25 /etc/nagios/nagios.keytabthe keys seems ok
Code:klist -ke /etc/nagios/nagios.keytab
Keytab name: FILE:/etc/nagios/nagios.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 nagioskerberos/nagios1.myhost.priv@MYHOST.PRIV (aes256-cts-hmac-sha1-96)But when I try to check...
Code: ./check_kdc -k /etc/nagios/nagios.keytab -p nagioskerberos/nagios1.myhost.priv@MYHOST.PRIV -H samba4 -P 88
CRITICAL Getting Kerberos ticket: kinit: Client 'nagioskerberos/nagios1.myhost.priv@MYHOST.PRIV' not found in Kerberos database while getting initial credentials (credentials for nagioskerberos/nagios1.myhost.priv@MYHOST.PRIV from /etc/nagios/nagios.keytab)Why?
This is the krb5.conf for server samba4 and server nagios
Code: [libdefaults]
default_realm = MYHOST.PRIV
dns_lookup_realm = true
dns_lookup_kdc = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_encryptes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96