Reply is bottom-posted.<br><br><div class="gmail_quote">On Wed, Mar 18, 2009 at 16:57, Andrew Davis <span dir="ltr"><<a href="mailto:nccomp@gmail.com">nccomp@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000099">
If I'm reading this correctly, the line about "NRPE daemon cannot be
run as
user/group root!" is directly from the source code of NRPE. Its not an
xinetd thing. I've confirmed that xinetd is running and listening on
port 5666. I tried changing the owner/group from nobody:nobody to
another unprivileged user, but it didn't work. Same results. It appears
that despite my configuring the /etc/nagios/nrpe.cfg and the
/etc/xinetd.d/nrpe files to use a user other than root, it still tries
to start it as the root user and thus when an incoming connection comes
in, it gives the "NRPE daemon cannot be run as
user/group root!" error. Any thoughts on how to rectify this? Since
NRPE is working fine on Linux, is this just a Mac OS X thing? Any help
would be immensely appreciated.<br><font color="#888888">
<br>
AD</font><div><div></div><div class="h5"><br>
<br>
Andrew Davis wrote:
<blockquote type="cite">
FYI: /var/log/system.log on the client shows:<br>
<br>
Mar 18 16:08:07 shu xinetd[29066]: START: nrpe pid=557 from=10.1.1.170<br>
Mar 18 16:08:07 shu nrpe[557]: Error: NRPE daemon cannot be run as
user/group root!<br>
<br>
whether I do the default test (with SSL) or use the -n flag to test w/o
SSL. The odd thing is that the nrpe config in /etc/xinetd.d is set to
run as nobody:nobody and /etc/nagios/nrpe.cfg is owned by
nobody:nobody. Only /usr/local/sbin/nrpe is owned by root (as it should
be), but is also set to 755 perms. I've compared to a Linux box I have
with NRPE and xinetd working properly and the permissions are identical.<br>
<br>
I'm stumped...<br>
<br>
Andrew Davis wrote:
<blockquote type="cite">I have
two Mac OS X servers, one running 10.3, the other running 10.4.
Neither can be upgraded to 10.5 due to third party s/w constraints.
Both are PPC based XServe's.<br>
<br>
Trying to compile nrpe with:<br>
<blockquote><font color="#ff0000">./configure
--sysconfdir=/etc/nagios
--enable-ssl</font><br>
</blockquote>
Initially, I got the "cannot find ssl libraries" error:<br>
<blockquote><font color="#ff0000">~<br>
checking for SSL headers... SSL headers found in /usr/local/ssl<br>
checking for SSL libraries... configure: error: Cannot find ssl
libraries</font><br>
</blockquote>
I downloaded the latest openssl and built it with:<br>
<blockquote><font color="#ff0000">./config --prefix=/usr/local
shared
--openssldir=/usr/local/openssl<br>
make<br>
make test<br>
make install</font><br>
</blockquote>
I then had to edit ~/src/nrpe/configure and change the reference from
libssl.so to libssl.dylib<br>
<br>
After that, nrpe compiled cleanly and I was able to move
~src/nrpe/src/nrpe to /usr/local/sbin and start xinetd up. I've
confirmed that port 5666 is open and xinetd is running:<br>
<blockquote><font color="#ff0000">/usr/local/src/nrpe-2.12/src
root#
ps
waux|grep xinet|grep -v greproot 29066 0.0 -0.0 27484 308
?? Ss 3:53PM 0:00.02 /usr/sbin/xinetd -pidfile
/var/run/xinetd.pid -stayalive<br>
/usr/local/src/nrpe-2.12/src root# netstat -an|grep 5666tcp4
0 0 *.5666 *.* LISTEN</font><br>
</blockquote>
However, when connecting from the remote server, I get:<br>
<blockquote><font color="#ff0000">/usr/local/nagios/libexec/check_nrpe
-H <a href="http://host.mydomain.org" target="_blank">host.mydomain.org</a><br>
CHECK_NRPE: Error - Could not complete SSL handshake.</font><br>
</blockquote>
The same test but w/o SSL gives yields:<br>
<blockquote><font color="#ff0000">[nagios@nephilim src]$
/usr/local/nagios/libexec/check_nrpe -n -H <a href="http://host.mydomain.org" target="_blank">host.mydomain.org</a><br>
CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs
for error messages.</font><br>
</blockquote>
So two questions:<br>
<br>
1) I'm a UNIX guy, but obviously Mac's are A) different and B) a tad
different being BSD-based. So what's the proper way to stop/restart the
xinetd daemon?<br>
2) Any thoughts on SSL handshake error? I've googled it, but I'm not
getting very far.<br>
<br>
Anyone have a step-by-step for compiling nagios plugins and NRPE from
source on OS X 10.x (specifically 10.3 and 10.4)? I'm using NRPE for
all other internal hosts, so I prefer to use it for the Mac's too. I
know I could do it via check_by_ssh and get around this, but I prefer
to use NRPE if I can.<br>
<pre cols="72">--
</pre></blockquote></blockquote></div></div></div></blockquote><div><br>On a Mac, your xinetd is a bolt-on over the launchd that's there by default; you've obviously got it running. Since you're in /etc/xinetd.d/<something>, you need to cnfigure a different username via xinetd's config. Look for a /etc/xinetd.d/nrpe file, or similar, containing the config for your nrpe service. I tend to grep for the port number in order to find the file. Remember to check /local/*<br>
<br>The time service has an example with juicy comments:<br><br><br>service time<br>{<br># This is for quick on or off of the service<br> disable = yes<br>...<br>...<br># External services must fill out the following<br>
# user =<br># group =<br>...<br>...<br>}<br><br><br>Take a look there, see if you can choose a better username and/or group and if your port of xinetd honours it. I don't know if you have a nrpe user, or run it as nobody.<br>
<br>A better option would be a proper launchd config, allowing you to shutdown xinetd if you're installing it there for this purpose only, but then it's a Mac-only thing, and would be more difficult to maintain for non-Mac people.<br>
<br>Allan<br><br></div></div>