Monitoring your Kerberos servers? - Kerberos

This is a discussion on Monitoring your Kerberos servers? - Kerberos ; I'm a bit surprised to find (or rather not finding) that there doesn't seem to exist much in a way of monitoring software for Kerberos servers/services... What _are_ people using to make sure that their KDC's are up and running, ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Monitoring your Kerberos servers?

  1. Monitoring your Kerberos servers?

    I'm a bit surprised to find (or rather not finding) that there
    doesn't seem to exist much in a way of monitoring software for
    Kerberos servers/services... What _are_ people using to make sure
    that their KDC's are up and running, *and* containing valid data?

    I've now experienced a couple of times confusing system behaviour
    due to KDC's not running or KDC slaves containing old/stale data...

    The last such occurance was fun - the primary KDC server had due
    to some unknown even shut down the "kdc" service. However the
    "kadmin" service was still running.

    So I would use 'kadmin' to add new principals to the database,
    and/or ktadd updated ones to hosts keytabs and then get very
    confusing errors since the remaning slave KDC would use the
    old data (since it couldn't contact the master KDC to get
    the updated database records)...

    Specifically I'd like to see a Nagios plugin that can be
    directed to talk to a *specific* KDC (not just the first one that
    answers from the list in krb5.conf) to check that the KDC service
    is running.

    I'd also like some Nagios plugin that can check that slave
    KDC's contain valid up-to-date data by comparing things with
    the master KDC...

    (I've solved the second part with a special hack for Solaris
    Kerberos that has a "kproplog" utility)

    - Peter
    --
    --
    Peter Eriksson Phone: +46 13 28 2786
    Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
    Physics Department, Linköping University Room: Building F, F203

  2. Re: Monitoring your Kerberos servers?

    > Specifically I'd like to see a Nagios plugin that can be
    > directed to talk to a *specific* KDC (not just the first one that
    > answers from the list in krb5.conf) to check that the KDC service
    > is running.


    we have done this ourselves by checking running processes (bin/ps |
    grep) in a custom NRPE subroutine. It's called on each of our kdc servers.

    well, it's not talking to real service, just a process check, but it works.

    bodik

+ Reply to Thread