<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000099"> If I'm reading this correctly, the line about "NRPE daemon cannot be run as user/group root!" is directly from the source code of NRPE. Its not an xinetd thing. I've confirmed that xinetd is running and listening on port 5666. I tried changing the owner/group from nobody:nobody to another unprivileged user, but it didn't work. Same results. It appears that despite my configuring the /etc/nagios/nrpe.cfg and the /etc/xinetd.d/nrpe files to use a user other than root, it still tries to start it as the root user and thus when an incoming connection comes in, it gives the "NRPE daemon cannot be run as user/group root!" error. Any thoughts on how to rectify this? Since NRPE is working fine on Linux, is this just a Mac OS X thing? Any help would be immensely appreciated. AD Andrew Davis wrote: <blockquote cite="mid:49C154FB.2010509@gmail.com" type="cite"> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> FYI: /var/log/system.log on the client shows: Mar 18 16:08:07 shu xinetd[29066]: START: nrpe pid=557 from=10.1.1.170 Mar 18 16:08:07 shu nrpe[557]: Error: NRPE daemon cannot be run as user/group root! whether I do the default test (with SSL) or use the -n flag to test w/o SSL. The odd thing is that the nrpe config in /etc/xinetd.d is set to run as nobody:nobody and /etc/nagios/nrpe.cfg is owned by nobody:nobody. Only /usr/local/sbin/nrpe is owned by root (as it should be), but is also set to 755 perms. I've compared to a Linux box I have with NRPE and xinetd working properly and the permissions are identical. I'm stumped... Andrew Davis wrote: <blockquote cite="mid:49C1529C.2030106@gmail.com" type="cite">I have two Mac OS X servers, one running 10.3, the other running 10.4. Neither can be upgraded to 10.5 due to third party s/w constraints. Both are PPC based XServe's. Trying to compile nrpe with: <blockquote>./configure --sysconfdir=/etc/nagios --enable-ssl </blockquote> Initially, I got the "cannot find ssl libraries" error: <blockquote>~ checking for SSL headers... SSL headers found in /usr/local/ssl checking for SSL libraries... configure: error: Cannot find ssl libraries </blockquote> I downloaded the latest openssl and built it with: <blockquote>./config --prefix=/usr/local shared --openssldir=/usr/local/openssl make make test make install </blockquote> I then had to edit ~/src/nrpe/configure and change the reference from libssl.so to libssl.dylib After that, nrpe compiled cleanly and I was able to move ~src/nrpe/src/nrpe to /usr/local/sbin and start xinetd up. I've confirmed that port 5666 is open and xinetd is running: <blockquote>/usr/local/src/nrpe-2.12/src root# ps waux|grep xinet|grep -v greproot 29066 0.0 -0.0 27484 308 ?? Ss 3:53PM 0:00.02 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive /usr/local/src/nrpe-2.12/src root# netstat -an|grep 5666tcp4 0 0 *.5666 *.* LISTEN </blockquote> However, when connecting from the remote server, I get: <blockquote>/usr/local/nagios/libexec/check_nrpe -H host.mydomain.org CHECK_NRPE: Error - Could not complete SSL handshake. </blockquote> The same test but w/o SSL gives yields: <blockquote>[nagios@nephilim src]$ /usr/local/nagios/libexec/check_nrpe -n -H host.mydomain.org CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages. </blockquote> So two questions: 1) I'm a UNIX guy, but obviously Mac's are A) different and B) a tad different being BSD-based. So what's the proper way to stop/restart the xinetd daemon? 2) Any thoughts on SSL handshake error? I've googled it, but I'm not getting very far. Anyone have a step-by-step for compiling nagios plugins and NRPE from source on OS X 10.x (specifically 10.3 and 10.4)? I'm using NRPE for all other internal hosts, so I prefer to use it for the Mac's too. I know I could do it via check_by_ssh and get around this, but I prefer to use NRPE if I can. <pre class="moz-signature" cols="72">-- A. Davis Email: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:nccomp@gmail.com">nccomp@gmail.com</a> "There is no limit to what a man can accomplish if he doesn't care who gets the credit." - Ronald Reagan </pre> </blockquote> </blockquote> </body> </html>