Monitoring your Kerberos servers?
Peter Eriksson
peter at ifm.liu.se
Mon Sep 8 04:30:54 EDT 2008
I'm a bit surprised to find (or rather not finding) that there
doesn't seem to exist much in a way of monitoring software for
Kerberos servers/services... What _are_ people using to make sure
that their KDC's are up and running, *and* containing valid data?
I've now experienced a couple of times confusing system behaviour
due to KDC's not running or KDC slaves containing old/stale data...
The last such occurance was fun - the primary KDC server had due
to some unknown even shut down the "kdc" service. However the
"kadmin" service was still running.
So I would use 'kadmin' to add new principals to the database,
and/or ktadd updated ones to hosts keytabs and then get very
confusing errors since the remaning slave KDC would use the
old data (since it couldn't contact the master KDC to get
the updated database records)...
Specifically I'd like to see a Nagios plugin that can be
directed to talk to a *specific* KDC (not just the first one that
answers from the list in krb5.conf) to check that the KDC service
is running.
I'd also like some Nagios plugin that can check that slave
KDC's contain valid up-to-date data by comparing things with
the master KDC...
(I've solved the second part with a special hack for Solaris
Kerberos that has a "kproplog" utility)
- Peter
--
--
Peter Eriksson <peter at ifm.liu.se> Phone: +46 13 28 2786
Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786
Physics Department, Linköping University Room: Building F, F203
More information about the Kerberos
mailing list