On Thu, Mar 19, 2009 at 10:57, Andrew Davis <span dir="ltr"><<a href="mailto:nccomp@gmail.com">nccomp@gmail.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000099">
One person suggested my openssl version might be too new (0.9.8). I
just removed it and installed 0.9.7i, older enough version to be safe
and one that I know another user has in a working configuration. After
compiling it, I then recompiled NRPE against it and copied the files in
place. It still fails with the same error.<br>
<br>
/var/log/system.log shows:<br>
<blockquote>Mar 19 10:45:17 seth xinetd[26057]: Started working: 1
available service<br>
Mar 19 10:45:25 seth nrpe[26064]: Error: NRPE daemon cannot be run as
user/group root!<br>
</blockquote>
I had it set to run as nobody:nobody, but that wasn’t working. I even
tried setting to run as daemon:wheel, but the same results. Finally, I
created a nagios user and configured /etc/xinetd.d/nrpe to run as
nagios:nagios and updated /etc/nagios/nrpe.cfg to use the same.
However, all remote tests still result in the following:<br>
<br>
>From the server:<br>
<blockquote>[nagios@nagios ~]$ /usr/local/nagios/libexec/check_nrpe -H
seth<div class="im"><br>
CHECK_NRPE: Error - Could not complete SSL handshake.<br>
</div></blockquote>
>From the client:<br>
<blockquote>Mar 19 10:45:17 seth xinetd[26057]: Started working: 1
available service<br>
Mar 19 10:45:25 seth nrpe[26064]: Error: NRPE daemon cannot be run as
user/group root!<br>
</blockquote>
Scouring Google shows that the “cannot be run as ... root” error is in
the nrpe.c code. What I can’t figure out is why its trying to run as
root instead of the configured user...<br>
<br>
Anyone running NRPE with xinetd for Mac’s? I’m frustrated enough that I
almost just want to use check_by_ssh, but I’d prefer to get this
working and keep things consistent (ie: with NRPE). My
/etc/nagios/nrpe.cfg and /etc/xinetd.d/nrpe are below:<br>
<blockquote>seth:/etc/xinetd.d root# pwd<br>
/etc/xinetd.d<br>
seth:/etc/xinetd.d root# cat nrpe <br><div class="im">
# /etc/xinetd.d/nrpe<br>
# description: NRPE<br>
# default: on<br>
service nrpe<br>
{<br>
flags = REUSE<br>
socket_type = stream<br>
port = 5666<br>
wait = no<br></div>
user = nagios<br>
group = nagios<div class="im"><br>
server = /usr/local/sbin/nrpe<br>
server_args = -c /etc/nagios/nrpe.cfg --inetd<br>
log_on_failure += USERID<br>
disable = no<br>
only_from = 127.0.0.1 10.1.1.170<br>
}</div></blockquote></div></blockquote><div><br>
Hi Andrew;<br>
<br>
I'm not convinced xinetd is running nrpe for you. As a simple test, try changing the port number from 5666 in /etc/xinetd.d/nrpe, but leave it as 5666 in nrpe.cfg, and see if you can connect on the old or new port -- just to ensure that the port is serviced as a hand-off from xinetd. (5666 or 5556?) Normally I'd confirm this with a "sudo netstat -pant" but I don't know the equivalent on MacOSX, so I'm suggesting quick molestation for proof, even though I see the "only 127.0.0.1" setting in nrpe.cfg.<br>
<br>You might want to run xinetd with "-d" option for debugging spam; it also doesn't background the process, so run on a different terminal. Looking for confirmation that xinetd is changing user after accept()/fork().<br>
<br></div></div>Allan<br>-- <br><a href="mailto:allanc@chickenandporn.com">allanc@chickenandporn.com</a> "½ًسم" <a href="http://linkedin.com/in/goldfish">http://linkedin.com/in/goldfish</a><br>please, no proprietary attachments (<a href="http://tinyurl.com/cbgq">http://tinyurl.com/cbgq</a>)<br>
Sent from: New York NY United States.