Functional test of KDC for monitoring?

Roland C. Dowdeswell elric at imrryr.org
Tue Jan 15 01:38:56 EST 2013


On Sat, Jan 12, 2013 at 11:19:03AM +0100, Jan-Piet Mens wrote:
>

> > How are folks performing functional testing of KDCs (without PKINIT)?
> 
> We have a very primitive Nagios/Icinga plugin (loosely based on [1])
> which invokes `kinit' with a keytab. This verifies that the round-trip
> principal->KDC->OpenLDAP is possible.

I have used:

	http://oskt.secure-endpoints.com/k5ping.html
	http://oskt.secure-endpoints.com/gitweb.cgi?p=k5ping;a=tree

in the past.  I have last compiled it against MIT Kerberos 1.4, I think,
so it may need a little fixing.  It provides a certain number of critical
advantages over simply using kinit -k:

	1.  individually test KDCs,

	2.  test AS and TGS, and

	3.  UDP and TCP testing.

Command line usage is simple:

	$ k5ping kdc1 [kdc2 ...]

With a few flags to change behaviour, like -t to only test TCP or -u
to only test UDP.

I have found in the past that the testing of both TCP and UDP would
have saved me a fair bit of frustration at a prior environment as
it is possible for a KDC to have only one of the two services
running and there are also clients that can only use one or the
other.

In addition to monitoring the KDCs, I would also strongly recommend
that the scripts that you use to upgrade KDCs operate in this sort
of way (shell script syntax used to aid readability but this is not
actually a script):

	#!/bin/sh

	KDCS="your KDC list"

	set -e
	for i in $KDCS; do
		upgrade_kdc $i
		k5ping $i
		sleep 10
	done

Or something along those lines.  It's always good to ensure that
your process terminates quickly if things start to progress in an
unexpected fashion...

If you are interested in using this, I can work with you to bring
the code up to date for the current release of MIT Kerberos (it
may just work, I haven't tried it...)

And [to the MIT developers], I think that it would be nice if there
were either (1) functionality within Kerberos which allowed for
the writing of programs such as this without overriding functions,
i.e. allow library users to tell the libs to use a particular KDC;
or (2) if k5ping or a similar program were integrated into MIT
Kerberos to aid in monitoring as this is a need that all enterprise
deployments of Kerberos need.

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/


More information about the Kerberos mailing list