Содержание
- Authentication error with Zabbix 4.0 #80
- Comments
- Не получается отправлять оповещение на почту
- Jordansphere
- Zabbix VMware Monitoring Authentication Error
- Issue
- Troubleshooting
- Zabbix 4.0.3 ssh-agent not working
- Details
- Description
- Documentation
- Sidebar
- Table of Contents
- 3 Authentication
- Overview
- Default authentication
- Internal authentication
- HTTP authentication
- LDAP authentication
- SAML authentication
- Setting up the identity provider
- Setting up Zabbix
Authentication error with Zabbix 4.0 #80
This morning I upgraded my Zabbix server to 4.0 after coming from 3.4. My setup is as follows:
- HTTP Basic authentication is enabled on Apache
- zabbix-cli is an Zabbix Super Admin
- I configured zabbix-cli with the following commands:
This worked like a charm on 3.4, however when I try to run zabbix-cli on 4.0 i get the following error:
Removing the USERNAME:PASSWORD part from the URL results in (which is expected, due to basic auth being active)
Logging in via my browser using the same account works, so it has to be something with the handling of the credentials towards the API. Or the configuration borked somewhere in the upgrade.
I did read the notes on https://www.zabbix.com/documentation/4.0/manual/installation/upgrade_notes_400 and re-configured Zabbix to HTTP basic auth again (and use the HTTP authentication by default).
P.S. I am aware that the original configuration I used (encoding credentials in the URL for basic auth and then signing in on the API using the same credentials) is a hack to work around the lack of HTTP_BASIC auth support 🙂
The text was updated successfully, but these errors were encountered:
I found a workaround, NOT a solution to this issue!
It appears that in contrary to the directions of the upgrade notes, which will tell you to delete all the Zabbix passwords in the database (note, before I removed the passwords from the database as per the directions it was already broken), the user you wish the use for zabbix-cli MUST have a password.
When setting the same password you use in Apache for the basic authentication on the useraccount in Zabbix, it will work again.
But I think a proper solution to this issue would be the addition of HTTP_BASIC authentication.
I haven’t been able/had the time to reproduce this error (since we’re using other authentication mechanisms that work with Zabbix 4).
Do you think you’re able to provide a example configuration for the docker containers that displays this problem?
Sure thing, but I don’t use docker so I don’t have a recipe that will create this for you in an instant.
However, the setup I have is not that spectacular, it’s a basic Zabbix install (basically next, next, finish), except with BASIC authentication enabled in the Zabbix configuration. And the accompanying apache config is as follows:
I’m made two test installations of both 3.4.15 and 4.0.3.
HTTP auth in the API has been broken with the release of 4.0. The only way to use the API with HTTP auth in 4.0 is to authenticate with both HTTP and Zabbix internal auth (this is what @Thulium-Drake has mentioned already. If you follow the official docs you will not be able to use the API with HTTP auth)
This is an issue within Zabbix itself and not zabbix-cli or pyzabbix.
I’m not closing this issue yet, but I’m currently going to label it as invalid. Maybe there will be a feature release of Zabbix 4.x that resolves this issue. Feel free to update/comment on this issue if you’re aware of any changes to Zabbix that resolves the issue.
Источник
Не получается отправлять оповещение на почту
14.6 Тыс. Просмотры
Еще не плохо было бы увеличить Timeout=3 до 10, чтобы стало так — Timeout=10 (т.к. не всегда успевают быстро отработать скрипты)!
Но что еще не так?
Couldn’t resolve host name: Could not resolve host: smtp.gmail.com; Unknown error
Но что еще не так?
Couldn’t resolve host name: Could not resolve host: smtp.gmail.com; Unknown error
Попробуйте изменить порт smtp-сервера на 587 и поставить («Безопасность подключения») STARTTLS — у меня пока именно так работает.
Но что еще не так?
Couldn’t resolve host name: Could not resolve host: smtp.gmail.com; Unknown error
На сервере заббигс проверьте разрешение имен.
Если nslookup не найден, то установить пакет bind-utils
пакет bind-utils не был установлен.
Установил и попробовал отправит тесть, но вот результат:
Детали: Media type test failed.
Превышено время ожидания 3 секунд при подключении к Zabbix серверу «192.168.10.28».
при изменения порт smtp-сервера на 587 и («Безопасность подключения») STARTTLS:
Журнал действии:Couldn’t connect to server: Failed to connect to 2a00:1450:4010:c07::6c: Network is unreachable
На данный момент порт=465, безопасность = SSL/TLS
При этом timeout = 10 на Zabbix-server-е и 10 на zabbix-agent
пакет bind-utils не был установлен.
Установил и попробовал отправит тесть, но вот результат:
Детали: Media type test failed.
Превышено время ожидания 3 секунд при подключении к Zabbix серверу «192.168.10.28».
при изменения порт smtp-сервера на 587 и («Безопасность подключения») STARTTLS:
Журнал действии:Couldn’t connect to server: Failed to connect to 2a00:1450:4010:c07::6c: Network is unreachable
На данный момент порт=465, безопасность = SSL/TLS
1. Перезагружали ли Вы ОС после установки bind-utils ?!
2. Запущен ли сервер postfix ?! То есть — sudo netstat -tunlp ?! Есть ли среди тех процессов такой:
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1423/master
3. Что показывает теперь nslookup (приложите скрины)?!
nslookup gmail.com
nslookup smtp.gmail.com
4. Каков результат nslookup с выключенными файерволами?!
ОС перезагрузил после установки bind-utils
Детали: Media type test failed.
Превышено время ожидания 3 секунд при подключении к Zabbix серверу «192.168.10.28».
Источник
Jordansphere
Somewhere in the Cloud
Zabbix VMware Monitoring Authentication Error
Issue
Upon connecting to vCenter for the first time the following error was thrown up byt the Zabbix server
Cannot complete login due to an incorrect user name or password
Troubleshooting
Find vmware poller processes. In this case its 2154 & 2155
zabbix 2154 3.7 1.9 786000 37432 ? S 14:51 2:08 /usr/sbin/zabbix_server: vmware collector #1 [updated 0, removed 0 VMware services in 0.000008 sec, idle 5 sec]
zabbix 2155 0.1 1.9 785848 37256 ? S 14:51 0:04 /usr/sbin/zabbix_server: vmware collector #2 [updated 0, removed 0 VMware services in 0.000008 sec, idle 5 sec]
You can then increase the log levels to help with debugging
Looking in /etc/zabbix/zabbix_server.log and can see the following entries
2155:20180416:142510.042 In vmware_service_update() ‘»vsphere.localzabbix_vmw»‘@’https://10.64.51.51/sdk’
2155:20180416:142510.043 In vmware_service_authenticate() ‘«vsphere.localzabbix_vmw»‘@’https://10.64.51.51/sdk’
2154:20180416:142510.953 __zbx_zbx_setproctitle() title:’vmware collector #1 [updated 0, removed 0 VMware services in 0.000008 sec, querying VMware services]’
2154:20180416:142510.953 __zbx_zbx_setproctitle() title:’vmware collector #1 [updated 0, removed 0 VMware services in 0.000007 sec, idle 5 sec]’
2155:20180416:142514.781 End of vmware_service_authenticate():FAIL
I was trying different variations such as [email protected] and quotation martks. As you can see from above I do not need the double quotation marks.
Источник
Zabbix 4.0.3 ssh-agent not working
Details
Description
I follow the documentation except for the location of the home of the zabbix user.
I choose Key file authentication so I specified the `SSHKeyLocation=/var/lib/zabbix/.ssh` and restart `systemctl restart zabbix-server` and `systemctl restart zabbix-agent`
I generate ssh key without passphrase. I use those commande to generate both key I try to use.
First key I try `ssh-keygen -o -a 100 -t ed25519`
Second key I try `ssh-keygen -o -a 100 -t rsa -b 4096`
I generate those keys as zabbix user in the zabbix server.
On the destination server I copy both key in authorized_key and confirm it’s working using those command.
`sudo -u zabbix ssh -i
`sudo -u zabbix ssh -i
Both key are working, on the destination side I create the user zabbix_ssh_agent with both public key. I choose to test both key because I started with ed25519 and I want to make sure this is not the cause of the problem.
I create the item in zabbix frontend with those parameters.
When I go back to the same screen to edit or validate the information I just provided to Zabbix, I have several other fields and a duplicate field. I see 2 User Name field.
I attache two screenshots.
The item start to collect information and I got that error in the frontend web page.
`Public key authentication failed: Callback returned error`
I try couple way to specify the location of the key file. When I try to specify the relative path I got that error message `Cannot access public key file /var/lib/zabbix/.ssh//var/lib/zabbix/.ssh/id_rsa.pub`
The relavite path :
Public key file: /var/lib/zabbix/.ssh/id_rsa.pub
Private key file: /var/lib/zabbix/.ssh/id_rsa
I enable debug log and collect that.
26326:20190131:150855.564 End of substitute_key_macros():SUCCEED data:’ssh.run [testing123] ‘
26326:20190131:150855.564 In substitute_simple_macros() data:’id_rsa.pub’
26326:20190131:150855.564 In substitute_simple_macros() data:’id_rsa’
26326:20190131:150855.564 In substitute_simple_macros() data:’ls /tmp’
26326:20190131:150855.564 In substitute_simple_macros() data:’SSH_DESTINATION_USER’
26326:20190131:150855.564 In substitute_simple_macros() data:EMPTY
26326:20190131:150855.564 In get_value() key:’ssh.run [testing123] ‘
26840:20190131:150855.564 End of preprocessor_enqueue()
26840:20190131:150855.564 In preprocessor_assign_tasks()
26840:20190131:150855.564 In preprocessor_get_queued_item()
26840:20190131:150855.564 End of preprocessor_get_queued_item()
26326:20190131:150855.564 In ssh_run()
26326:20190131:150855.684 ssh_run() supported authentication methods:’publickey’
26326:20190131:150855.685 End of ssh_run():
26326:20190131:150855.685 Item [HOSTNAME_DESTINATION:ssh.run [testing123] ] error: Public key authentication failed: Callback returned error
20776:20190130:201919.772 item «HOSTNAME_DESTINATION:ssh.run [testing123] » became not supported: Public key authentication failed: Username/PublicKey combination invalid
26247:20190131:150853.823 ssh: [username:’SSH_DESTINATION_USER’ password:» authtype:1 params:’ls /tmp’]
Источник
Documentation
Table of Contents
3 Authentication
Overview
The Administration в†’ Authentication section allows to specify the global user authentication method to Zabbix and internal password requirements. The available methods are internal, HTTP, LDAP, and SAML authentication.
Default authentication
By default, Zabbix uses internal Zabbix authentication for all users. It is possible to change the default method to LDAP system-wide or enable LDAP authentication only for specific user groups.
To set LDAP as default authentication method for all users, navigate to the LDAP tab and configure authentication parameters, then return to the Authentication tab and switch Default authentication selector to LDAP.
Note that the authentication method can be fine-tuned on the user group level. Even if LDAP authentication is set globally, some user groups can still be authenticated by Zabbix. These groups must have frontend access set to Internal. Vice versa, if internal authentication is used globally, LDAP authentication details can be specified and used for specific user groups whose frontend access is set to LDAP. If a user is included into at least one user group with LDAP authentication, this user will not be able to use internal authentication method.
HTTP and SAML 2.0 authentication methods can be used in addition to the default authentication method.
Internal authentication
The Authentication tab allows defining custom password complexity requirements for internal Zabbix users.
The following password policy options can be configured:
| Parameter | Description |
|---|---|
| Minimum password length | By default, the minimum password length is set to 8. Supported range: 1-70. Note that passwords longer than 72 characters will be truncated. |
| Password must contain | Mark one or several checkboxes to require usage of specified characters in a password: -an uppercase and a lowercase Latin letter -a digit -a special character |
Hover over the question mark to see a hint with the list of characters for each option. Avoid easy-to-guess passwords If marked, a password will be checked against the following requirements:
— must not contain user’s name, surname, or username
— must not be one of the common or context-specific passwords.
The list of common and context-specific passwords is generated automatically from the list of NCSC «Top 100k passwords», the list of SecLists «Top 1M passwords» and the list of Zabbix context-specific passwords. Internal users will not be allowed to set passwords included in this list as such passwords are considered weak due to their common use.
Changes in password complexity requirements will not affect existing user passwords, but if an existing user chooses to change a password, the new password will have to meet current requirements. A hint with the list of requirements will be displayed next to the Password field in the user profile and in the user configuration form accessible from the Administration→Users menu.
HTTP authentication
HTTP or web server-based authentication (for example: Basic Authentication, NTLM/Kerberos) can be used to check user names and passwords. Note that a user must exist in Zabbix as well, however its Zabbix password will not be used.
Be careful! Make sure that web server authentication is configured and works properly before switching it on.
| Parameter | Description |
|---|---|
| Enable HTTP authentication | Mark the checkbox to enable HTTP authentication. Hovering the mouse over  will bring up a hint box warning that in the case of web server authentication, all users (even with frontend access set to LDAP/Internal) will be authenticated by the web server, not by Zabbix. |
| Default login form | Specify whether to direct non-authenticated users to: Zabbix login form — standard Zabbix login page. HTTP login form — HTTP login page. It is recommended to enable web-server based authentication for the index_http.php page only. If Default login form is set to ‘HTTP login page’ the user will be logged in automatically if web server authentication module will set valid user login in the $_SERVER variable. Supported $_SERVER keys are PHP_AUTH_USER , REMOTE_USER , AUTH_USER . |
| Remove domain name | A comma-delimited list of domain names that should be removed from the username. E.g. comp,any — if username is ‘[email protected]’, ‘compAdmin’, user will be logged in as ‘Admin’; if username is ‘notacompanyAdmin’, login will be denied. |
| Case sensitive login | Unmark the checkbox to disable case-sensitive login (enabled by default) for usernames. E.g. disable case-sensitive login and log in with, for example, ‘ADMIN’ user even if the Zabbix user is ‘Admin’. Note that with case-sensitive login disabled the login will be denied if multiple users exist in Zabbix database with similar usernames (e.g. Admin, admin). |
For internal users who are unable to log in using HTTP credentials (with HTTP login form set as default) leading to the 401 error, you may want to add a ErrorDocument 401 /index.php?form=default line to basic authentication directives, which will redirect to the regular Zabbix login form.
LDAP authentication
External LDAP authentication can be used to check user names and passwords. Note that a user must exist in Zabbix as well, however its Zabbix password will not be used.
Several LDAP servers can be defined, if necessary. For example, a different server can be used to authenticate a different user group. Once LDAP servers are configured, in user group configuration it becomes possible to select the required LDAP server for the respective user group.
If a user is in multiple user groups and multiple LDAP servers, the first server in the list of LDAP servers sorted by name in ascending order will be used for authentication.
Zabbix LDAP authentication works at least with Microsoft Active Directory and OpenLDAP.
| Parameter | Description |
|---|---|
| Enable LDAP authentication | Mark the checkbox to enable LDAP authentication. |
| Servers | Click on Add to configure an LDAP server (see LDAP server configuration parameters below). |
| Case-sensitive login | Unmark the checkbox to disable case-sensitive login (enabled by default) for usernames. E.g. disable case-sensitive login and log in with, for example, ‘ADMIN’ user even if the Zabbix user is ‘Admin’. Note that with case-sensitive login disabled the login will be denied if multiple users exist in Zabbix database with similar usernames (e.g. Admin, admin). |
LDAP server configuration parameters:
| Parameter | Description |
|---|---|
| Name | Name of the LDAP server in Zabbix configuration. |
| Host | Host of the LDAP server. For example: ldap://ldap.example.com For secure LDAP server use ldaps protocol. ldaps://ldap.example.com With OpenLDAP 2.x.x and later, a full LDAP URI of the form ldap://hostname:port or ldaps://hostname:port may be used. |
| Port | Port of the LDAP server. Default is 389. For secure LDAP connection port number is normally 636. Not used when using full LDAP URIs. |
| Base DN | Base path to search accounts: ou=Users,ou=system (for OpenLDAP), DC=company,DC=com (for Microsoft Active Directory) |
| Search attribute | LDAP account attribute used for search: uid (for OpenLDAP), sAMAccountName (for Microsoft Active Directory) |
| Bind DN | LDAP account for binding and searching over the LDAP server, examples: uid=ldap_search,ou=system (for OpenLDAP), CN=ldap_search,OU=user_group,DC=company,DC=com (for Microsoft Active Directory) Anonymous binding is also supported. Note that anonymous binding potentially opens up domain configuration to unauthorized users (information about users, computers, servers, groups, services, etc.). For security reasons, disable anonymous binds on LDAP hosts and use authenticated access instead. |
| Bind password | LDAP password of the account for binding and searching over the LDAP server. |
| Description | Description of the LDAP server. |
| StartTLS | Mark the checkbox to use the StartTLS operation when connecting to LDAP server. The connection will fall if the server doesn’t support StartTLS. StartTLS cannot be used with servers that use the ldaps protocol To access this option, mark the Advanced configuration checkbox first. |
| Search filter | Define a custom string when authenticating user in LDAP. The following placeholders are supported: % — search attribute name (uid, sAMAccountName) % — user username value to authenticate. If omitted then LDAP will use the default filter: (%=%) To access this option, mark the Advanced configuration checkbox first. |
The Test button allows to test user access:
| Parameter | Description |
|---|---|
| Login | LDAP user name to test (prefilled with the current user name from Zabbix frontend). This user name must exist in the LDAP server. Zabbix will not activate LDAP authentication if it is unable to authenticate the test user. |
| User password | LDAP user password to test. |
In case of trouble with certificates, to make a secure LDAP connection (ldaps) work you may need to add a TLS_REQCERT allow line to the /etc/openldap/ldap.conf configuration file. It may decrease the security of connection to the LDAP catalog.
It is recommended to create a separate LDAP account (Bind DN) to perform binding and searching over the LDAP server with minimal privileges in the LDAP instead of using real user accounts (used for logging in the Zabbix frontend).
Such an approach provides more security and does not require changing the Bind password when the user changes his own password in the LDAP server.
In the table above it’s ldap_search account name.
SAML authentication
SAML 2.0 authentication can be used to sign in to Zabbix. Note that a user must exist in Zabbix, however, its Zabbix password will not be used. If authentication is successful, then Zabbix will match a local username with the username attribute returned by SAML.
If SAML authentication is enabled, users will be able to choose between logging in locally or via SAML Single Sign-On.
Setting up the identity provider
In order to work with Zabbix, a SAML identity provider (onelogin.com, auth0.com, okta.com, etc.) needs to be configured in the following way:
- Assertion Consumer URL should be set to
/index_sso.php?acs
Single Logout URL should be set to
examples: https://example.com/zabbix/ui , http://another.example.com/zabbix , http:///zabbix
Setting up Zabbix
It is required to install php-openssl if you want to use SAML authentication in the frontend.
To use SAML authentication Zabbix should be configured in the following way:
1. Private key and certificate should be stored in the ui/conf/certs/, unless custom paths are provided in zabbix.conf.php.
By default, Zabbix will look in the following locations:
- ui/conf/certs/sp.key — SP private key file
- ui/conf/certs/sp.crt — SP cert file
- ui/conf/certs/idp.crt — IDP cert file
2. All of the most important settings can be configured in the Zabbix frontend. However, it is possible to specify additional settings in the configuration file.
Configuration parameters, available in the Zabbix frontend:
| Parameter | Description |
|---|---|
| Enable SAML authentication | Mark the checkbox to enable SAML authentication. |
| IDP entity ID | The unique identifier of SAML identity provider. |
| SSO service URL | The URL users will be redirected to when logging in. |
| SLO Service URL | The URL users will be redirected to when logging out. If left empty, the SLO service will not be used. |
| // Username attribute// | SAML attribute to be used as a username when logging into Zabbix. List of supported values is determined by the identity provider. |
Examples:
uid
userprincipalname
samaccountname
username
userusername
urn:oid:0.9.2342.19200300.100.1.1
urn:oid:1.3.6.1.4.1.5923.1.1.1.13
urn:oid:0.9.2342.19200300.100.1.44 SP entity ID The unique identifier of SAML service provider. SP name ID format Defines which name identifier format should be used.
Examples:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity Sign Mark the checkboxes to select entities for which SAML signature should be enabled:
Messages
Assertions
AuthN requests
Logout requests
Logout responses Encrypt Mark the checkboxes to select entities for which SAML encryption should be enabled:
Assertions
Name ID Case-sensitive login Mark the checkbox to enable case-sensitive login (disabled by default) for usernames.
E.g. disable case-sensitive login and log in with, for example, ‘ADMIN’ user even if the Zabbix user is ‘Admin’.
Note that with case-sensitive login disabled the login will be denied if multiple users exist in Zabbix database with similar usernames (e.g. Admin, admin).
Advanced settings
Additional SAML parameters can be configured in the Zabbix frontend configuration file (zabbix.conf.php):
Zabbix uses OneLogin’s SAML PHP Toolkit library (version 3.4.1). The structure of $SSO[‘SETTINGS’] section should be similar to the structure used by the library. For the description of configuration options, see official library documentation.
Only the following options can be set as part of $SSO[‘SETTINGS’]:
- strict
- baseurl
- compress
- contactPerson
- organization
- sp (only options specified in this list)
- attributeConsumingService
- x509certNew
- idp (only options specified in this list)
- singleLogoutService (only one option)
- responseUrl
- certFingerprint
- certFingerprintAlgorithm
- x509certMulti
- singleLogoutService (only one option)
- security (only options specified in this list)
- signMetadata
- wantNameId
- requestedAuthnContext
- requestedAuthnContextComparison
- wantXMLValidation
- relaxDestinationValidation
- destinationStrictlyMatches
- rejectUnsolicitedResponsesWithInResponseTo
- signatureAlgorithm
- digestAlgorithm
- lowercaseUrlencoding
All other options will be taken from the database and cannot be overridden. The debug option will be ignored.
In addition, if Zabbix UI is behind a proxy or a load balancer, the custom use_proxy_headers option can be used:
- false (default) — ignore the option;
- true — use X-Forwarded-* HTTP headers for building the base URL.
If using a load balancer to connect to Zabbix instance, where the load balancer uses TLS/SSL and Zabbix does not, you must indicate ‘baseurl’, ‘strict’ and ‘use_proxy_headers’ parameters as follows:
Источник
Sure thing, but I don’t use docker so I don’t have a recipe that will create this for you in an instant.
However, the setup I have is not that spectacular, it’s a basic Zabbix install (basically next, next, finish), except with BASIC authentication enabled in the Zabbix configuration. And the accompanying apache config is as follows:
<VirtualHost *:80>
ServerName zabbix.example.com
RedirectMatch .* https://zabbix.example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName zabbix.example.com
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.key
#SSLCertificateChainFile /etc/apache2/ssl/chain.pem
SSLOptions StrictRequire
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5
<Location />
AuthType Basic
AuthBasicProvider file
AuthName "Password protected. Enter your username and password."
AuthUserFile /etc/zabbix/zabbix.passwd
Require valid-user
</Location>
<IfModule mod_alias.c>
Alias / /usr/share/zabbix/
</IfModule>
<Directory "/usr/share/zabbix">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
<IfModule mod_php5.c>
php_value max_execution_time 300
php_value memory_limit 128M
php_value post_max_size 16M
php_value upload_max_filesize 2M
php_value max_input_time 300
php_value always_populate_raw_post_data -1
php_value date.timezone Europe/Amsterdam
</IfModule>
<IfModule mod_php7.c>
php_value max_execution_time 300
php_value memory_limit 128M
php_value post_max_size 16M
php_value upload_max_filesize 2M
php_value max_input_time 300
php_value always_populate_raw_post_data -1
php_value date.timezone Europe/Amsterdam
</IfModule>
</Directory>
<Directory "/usr/share/zabbix/conf">
Order deny,allow
Deny from all
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/app">
Order deny,allow
Deny from all
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/include">
Order deny,allow
Deny from all
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/local">
Order deny,allow
Deny from all
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
</VirtualHost>
I have a web site that I would like to verify is up and it uses basic authentication, and I can get in with any browser. The server is IIS and it hosts three sites with subdomains and HTTP->HTTPS upgrades. site1.example.com, site2.example.com etc.
I have many other web scenarios but this is the first one I’ve attempted with basic authentication so I set it up like any other site plus the basic authentication. The details come back:
response code; 401 (unauthorized) Status; Error: required pattern "information" was not found on https://site.example.com
Looking deeper I don’t think this is a Zabbix failure because when I go to CLI on that server and attempt a curl with user/password I get similar error;
curl https://myuser:mypassword@site.example.com/index.html~<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
Things get more interesting if I use wget, it works after a couple 401’s and pulls down the file I wanted successfully (valid content);
myuser@ubnt20-04-zbxv5:~$ wget --http-user=myuser --http-password=mypassword https://site.example.com/staging.html--2021-09-29 07:54:03-- https://site.example.com/staging.htmlResolving site.example.com (site.example.com)... 100.18.169.148Connecting to site.example.com (site.example.com)|100.18.169.148|:443... connected.HTTP request sent, awaiting response... 401 UnauthorizedAuthentication selected: NTLMReusing existing connection to site.example.com:443.HTTP request sent, awaiting response... 401 UnauthorizedAuthentication selected: NTLM TlRMTVNTUAACAAAABQAFADgAAAA~~~~~~~wAbwBjAGEAbAAHAA gArOzURSi11wEAAAAAReusing existing connection to site.example.com:443.HTTP request sent, awaiting response... 200 OKLength: 3679 (3.6K) [text/html]Saving to: ‘staging.html’
staging.html 100%[================================================== ================================================== ================================================== ==============================================>] 3.59K --.-KB/s in 0s
2021-09-29 07:54:03 (1.04 GB/s) - ‘staging.html’ saved [3679/3679]
So is there something I can do in Zabbix to make it behave more like wget instead of curl? If you have a clue on what I need to change on the IIS server also let me know.
Для контроля доступности устройства по SNMP обычно я использую элементы данных типа «Внутренний Zabbix» с ключом «zabbix[host,snmp,available]», который описан на странице документации 8 Внутренние проверки. Подробнее о недоступности узлов можно прочитать здесь: 12 Настройки недостижимости/недоступности хостов. Итак, когда сервер Zabbix решает, что узел больше не доступен по SNMP, значение элемента данных с ключом «zabbix[host,snmp,available]» становится равным нулю. Можно настроить триггер, который будет срабатывать при нулевом значении этого ключа.
После того, как в сети появились узлы, опрашиваемые по SNMPv3, отсутствие срабатываний этого триггера перестало быть надёжным критерием доступности узла по SNMP. Все элементы данных SNMPv3 на узле могут быть в неподдерживаемом состоянии, однако Zabbix при этом считает узел доступным по SNMP и триггер не срабатывает. Как выяснилось, Zabbix не считает проблемой, если узел ответил ошибкой аутентификации. Формально устройство действительно отвечает по протоколу SNMP, но фактически данные с него не снимаются.
Я решил испрвить эту ситуацию, в очередной раз внеся правку в исходный текст Zabbix. К счастью, сделать это оказалось совсем не сложно. Интересующий нас фрагмент кода находится в файле src/zabbix_server/poller/checks_snmp.c в функции zbx_get_snmp_response_error. Удалим специальную обработку ошибок аутентификации SNMPv3, интерпретируя эти ошибки как недоступность элемента данных:
Index: zabbix-3.4.12-1+buster/src/zabbix_server/poller/checks_snmp.c
===================================================================
--- zabbix-3.4.12-1+buster.orig/src/zabbix_server/poller/checks_snmp.c
+++ zabbix-3.4.12-1+buster/src/zabbix_server/poller/checks_snmp.c
@@ -391,17 +391,7 @@ static int zbx_get_snmp_response_error(c
{
zbx_snprintf(error, max_error_len, "Cannot connect to "%s:%hu": %s.",
interface->addr, interface->port, snmp_api_errstring(ss->s_snmp_errno));
-
- switch (ss->s_snmp_errno)
- {
- case SNMPERR_UNKNOWN_USER_NAME:
- case SNMPERR_UNSUPPORTED_SEC_LEVEL:
- case SNMPERR_AUTHENTICATION_FAILURE:
- ret = NOTSUPPORTED;
- break;
- default:
- ret = NETWORK_ERROR;
- }
+ ret = NETWORK_ERROR;
}
else if (STAT_TIMEOUT == status)
{
Эту тривиальную заплатку можно взять по ссылке zabbix3_4_12_snmpv3_auth_errors.patch.
- Печать
Страницы: [1] Вниз
Тема: zabbix ошибка входа (Прочитано 15086 раз)
0 Пользователей и 2 Гостей просматривают эту тему.
vetallkvn
mysql_connect(): Access denied for user ‘zabbix’@’localhost’ (using password: YES)[/usr/share/zabbix/include/db.inc.php:58]
Установлена ubuntu 10.04 Все с репов. При попытке входа пишет ошибку. Как поправить?
xeon_greg
ну четко же пишет в чем проблема, логин , пароль правильные?
Дмитрий Бо
Проверить можно так: mysql -u zabbix -p
vetallkvn
Что пишет я прекрасно вижу. Но такого пользователя я не создавал, а он создался сам при установке zabbix. Поэтому и спрашиваю как поправить.
nomeron
Либо создать в mysql пользователя zabbix и дать права доступа к базе, либо http://xxxxx/zabbix/instal.php и в п.4 настроить Configure DB connection.
Или как вариант скачать виртуальную машину на которой все настроено.
Дмитрий Бо
Что пишет я прекрасно вижу. Но такого пользователя я не создавал, а он создался сам при установке zabbix. Поэтому и спрашиваю как поправить.
Если он действительно создался — разрешить ему логиниться с локалхоста и дать права на нужную БД.
vetallkvn
Спасибо, большое, за помощь.
Пользователь решил продолжить мысль 10 Октября 2011, 10:25:41:
Что пишет я прекрасно вижу. Но такого пользователя я не создавал, а он создался сам при установке zabbix. Поэтому и спрашиваю как поправить.
Если он действительно создался — разрешить ему логиниться с локалхоста и дать права на нужную БД.
Но в списке пользователей я его не вижу, но при попытке создать такого, система говорит, что он есть уже.
Пользователь решил продолжить мысль 10 Октября 2011, 10:35:59:
Либо http://xxxxx/zabbix/instal.php и в п.4 настроить Configure DB connection.
Или как вариант скачать виртуальную машину на которой все настроено.
Таже ошибка про доступ.
Пользователь решил продолжить мысль 10 Октября 2011, 13:04:25:
Проверить можно так: mysql -u zabbix -p
accessdenied for users zabbix@localhost
« Последнее редактирование: 10 Октября 2011, 13:04:25 от vetallkvn »
xeon_greg
при установке заббикса у тебя к в консоли спрашивали пароль всего 3 раза
1 — рутовый пароль к mysql , чтобы создать базу заббикса и юзеров
2,3 — пароль и его подтверждение на саму базу для юзера zabbix
ты помнишь что вводил?
Пользователь решил продолжить мысль 10 Октября 2011, 13:32:27:
если не помнишь, какой пароль вводил, заходи в mysql под root меняй пароль для пользователя zabbix и в /etc/zabbix/ есть файл конфига базы (точно не помню как называется), там прописаны логин и пароль на базу и измени там пароль на новый
« Последнее редактирование: 10 Октября 2011, 13:33:47 от xeon_greg »
Дмитрий Бо
Если он действительно создался — разрешить ему логиниться с локалхоста и дать права на нужную БД.
Но в списке пользователей я его не вижу, но при попытке создать такого, система говорит, что он есть уже.
Где ты смотришь список и пытаешься создать?
На всякий случай уточняю, что в системе свои пользователи, в MySQL — свои. Нас интересует пользователь zabbix из MySQL.
vetallkvn
при установке заббикса у тебя к в консоли спрашивали пароль всего 3 раза
1 — рутовый пароль к mysql , чтобы создать базу заббикса и юзеров
2,3 — пароль и его подтверждение на саму базу для юзера zabbix
ты помнишь что вводил?
Пользователь решил продолжить мысль 10 Октября 2011, 13:32:27:
если не помнишь, какой пароль вводил, заходи в mysql под root меняй пароль для пользователя zabbix и в /etc/zabbix/ есть файл конфига базы (точно не помню как называется), там прописаны логин и пароль на базу и измени там пароль на новый
Дело на виртуалке, поэтому уже два раза систему окатил и снова поставил. Пароль конечно помню (он везде один), так вот результат один и тот же.
xeon_greg
Цитата: Дмитрий Бо от 08 Октябрь 2011, 12:42:57
Проверить можно так: mysql -u zabbix -p
accessdenied for users zabbix@localhost
ну если это пробовал и не помогло . значит пароль таки не правильный. заходи под рутом и меняй, заодно проверишь есть ли доступ у zabbix к базе
vetallkvn
Откатил на начало. Создал пользователя в ОС, а потом поставил zabbix и все заработало. Спасибо всем.
Дмитрий Бо
- Печать
Страницы: [1] Вверх