On Thu, Mar 19, 2009 at 10:57, Andrew Davis <span dir="ltr"><<a href="mailto:nccomp@gmail.com">nccomp@gmail.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div bgcolor="#ffffff" text="#000099"> One person suggested my openssl version might be too new (0.9.8). I just removed it and installed 0.9.7i, older enough version to be safe and one that I know another user has in a working configuration. After compiling it, I then recompiled NRPE against it and copied the files in place. It still fails with the same error.<br> <br> /var/log/system.log shows:<br> <blockquote>Mar 19 10:45:17 seth xinetd[26057]: Started working: 1 available service<br> Mar 19 10:45:25 seth nrpe[26064]: Error: NRPE daemon cannot be run as user/group root!<br> </blockquote> I had it set to run as nobody:nobody, but that wasn’t working. I even tried setting to run as daemon:wheel, but the same results. Finally, I created a nagios user and configured /etc/xinetd.d/nrpe to run as nagios:nagios and updated /etc/nagios/nrpe.cfg to use the same. However, all remote tests still result in the following:<br> <br> >From the server:<br> <blockquote>[nagios@nagios ~]$ /usr/local/nagios/libexec/check_nrpe -H seth<div class="im"><br> CHECK_NRPE: Error - Could not complete SSL handshake.<br> </div></blockquote> >From the client:<br> <blockquote>Mar 19 10:45:17 seth xinetd[26057]: Started working: 1 available service<br> Mar 19 10:45:25 seth nrpe[26064]: Error: NRPE daemon cannot be run as user/group root!<br> </blockquote> Scouring Google shows that the “cannot be run as ... root” error is in the nrpe.c code. What I can’t figure out is why its trying to run as root instead of the configured user...<br> <br> Anyone running NRPE with xinetd for Mac’s? I’m frustrated enough that I almost just want to use check_by_ssh, but I’d prefer to get this working and keep things consistent (ie: with NRPE). My /etc/nagios/nrpe.cfg and /etc/xinetd.d/nrpe are below:<br> <blockquote>seth:/etc/xinetd.d root# pwd<br> /etc/xinetd.d<br> seth:/etc/xinetd.d root# cat nrpe <br><div class="im"> # /etc/xinetd.d/nrpe<br> # description: NRPE<br> # default: on<br> service nrpe<br> {<br> flags = REUSE<br> socket_type = stream<br> port = 5666<br> wait = no<br></div> user = nagios<br> group = nagios<div class="im"><br> server = /usr/local/sbin/nrpe<br> server_args = -c /etc/nagios/nrpe.cfg --inetd<br> log_on_failure += USERID<br> disable = no<br> only_from = 127.0.0.1 10.1.1.170<br> }</div></blockquote></div></blockquote><div><br> Hi Andrew;<br> <br> I'm not convinced xinetd is running nrpe for you. As a simple test, try changing the port number from 5666 in /etc/xinetd.d/nrpe, but leave it as 5666 in nrpe.cfg, and see if you can connect on the old or new port -- just to ensure that the port is serviced as a hand-off from xinetd. (5666 or 5556?) Normally I'd confirm this with a "sudo netstat -pant" but I don't know the equivalent on MacOSX, so I'm suggesting quick molestation for proof, even though I see the "only 127.0.0.1" setting in nrpe.cfg.<br> <br>You might want to run xinetd with "-d" option for debugging spam; it also doesn't background the process, so run on a different terminal. Looking for confirmation that xinetd is changing user after accept()/fork().<br> <br></div></div>Allan<br>-- <br><a href="mailto:allanc@chickenandporn.com">allanc@chickenandporn.com</a> "金鱼" <a href="http://linkedin.com/in/goldfish">http://linkedin.com/in/goldfish</a><br>please, no proprietary attachments (<a href="http://tinyurl.com/cbgq">http://tinyurl.com/cbgq</a>)<br> Sent from: New York NY United States.