ZenPacks and JSON API

1.  Windows ZenPack - Kerberos settings config file

Posted 18 days ago
I have ZenPacks.zenoss.Microsoft.Windows V 2.7.7 with Zenoss Core 5.2.1.  Underlying Python ZenPack is version is 1.9.0.

Most of our Windows devices appear in both our forward and reverse Domain Name Server (DNS) lookups. One or two do not appear in the reverse lookup files (for good reasons), so we can resolve name to address but not address to name with DNS.  We use domain names to a trusted server and have followed the various good bits of advice re Kerberos parameters in the readme of the Windows ZenPack at https://www.zenoss.com/product/zenpacks/microsoft-windows    .Everything works fine except for the few devices that do not have a reverse DNS lookup.  So we have the following zProperties set to the correct values for us:
  • zWinKDC
  • zWinRMUser
  • zWinRMPassword
  • zWinScheme
  • zWinTrustedKDC
  • zWinTrustedRealm
We have zWinRMServerName set to the fully-qualified domain name.

The error messages we get from  the failing devices includes "WinRS: Failed collection Server not found in Kerberos database: HTTP@<FQDN here> on <FQDN here " (obviously with the <FQDN here" as appropriate.  The ZenPack README strongly suggests that this is because we do not have a reverse DNS entry and suggests using the recently added zWinRMKrb5DisableRDNS parameter, setting it from the default of false to true to inhibit the Kerberos reverse DNS lookup.  Tried this and it makes no difference.  Note that zWinRMKrb5DisableRDNS is a global parameter and must be set at the /Server/Microsoft level.

Under the covers, there is a Kerberos configuration file that this parameter should update.  Find it in the zenpython container under /opt/zenoss/var/krb5 - there should be a file called krb5.conf. There is also a directory, /opt/zenoss/var/krbcc which contains cache files for Kerberos.  Both directories are recreated when zenpython (which runs all the Windows RM stuff) is restarted.  Indeed, the cache files and the krb5.conf file can be deleted with everything running, and they will be quickly recreated.

The problem is that, regardless of any changes to zWinRMKrb5DisableRDNS, I never see any rdns entry in the krb.conf file.  The default, if there is no explicit rdns configuration, is:
  • rdns = true
(bit confusing - the zProp default is False (so rdns is enabled); the krb5 conf file has default rdns = true (so rdns is enabled).  I want this behaviour reversed.

I can delete the conf file and cache files and swap the zProperty - the files are recreated but no rdns line - anywhere, true or false.

The README also says you can add your own config file; must be a legal krb.conf-format file and filename must only contain alphanumerics, underscore and minus (so don't call it xyz.conf). It goes into a specific directory.  The default is /opt/zenoss/var/krb5/config (again in the Python container).  I have tried adding a wee file, rndc, in this directory with:
[libdefaults]
rdns = false

Removed krb5.conf and cache file - still getting the same Kerberos error events.  Note that this file under the config directory is transient. When zenpython is restarted it will be lost as the krb5 and krb5cc directory hierarchies are completely recreated.

There is also a further zProperty, zWinRMKrb5includedir, where you can put your extra config file, somewhere that will persist for the zenpython container, beyond restarts.  Such a directory is /opt/serviced/var/volumes/<tenant-id>/var-zenpacks which appears in containers as /var/zenoss.  I have a scripts subdirectory under here and have put my rndc file in there and set zWinRMKrb5includedir, at the /Server/Microsoft level, to be /var/zenoss/scripts.  Removed krb5.conf and the cache files.  Again, the krb5.conf is quickly recreated but no changes.  No rdns = false and no changes to the includedir stanza which still has:
  • includedir /opt/zenoss/var/krb5/config
So, my conclusion is that none of the zWin properties are making it to the config file - though the [realms] and [domain_realm] sections of krb5.conf obviously ARE being created correctly.

I would love some help or insight on this - or any other experiences of working or non-working.
Cheers,
Jane




------------------------------
Jane Curry
Skills 1st United Kingdom
jane.curry@skills-1st.co.uk
------------------------------


2.  RE: Windows ZenPack - Kerberos settings config file

Posted 17 days ago
Edited by Jane Curry 17 days ago
An update on this - the aspect of setting the zWinRMKrb5includedir zProp.  After "a while" - sorry, I don't know how long, been out for 6 hours - I found the krb5.conf had had the new include directory added so I had:

includedir /opt/zenoss/var/krb5/config
includedir /var/zenoss/scripts

Then realised that /var/zenoss/scripts also had other files, in addition to my little krb config file so changed the zProp to be /var/zenoss/scripts/fred.  krb5.conf was updated very quickly but the old file wasn't removed so I now have:

includedir /opt/zenoss/var/krb5/config
includedir /var/zenoss/scripts/fred
includedir /var/zenoss/scripts

Incidentally, the ZenPack readme says that if the zWinRMKrb5includedir directory contains any non-legal krb configuration files then it would be ignored; in this case, /var/zenoss/scripts was in breach of that rule but it did get added to my krb.conf.

Tried pushing configs but still end up with all three includedir lines.  Tried deleting krb5.conf and cache files - all 3 lines are in the re-created file.  So how do I remove the unwanted one?

Still no rdns entry though :(

Cheers,
Jane





------------------------------
Jane Curry
Skills 1st United Kingdom
jane.curry@skills-1st.co.uk
------------------------------



3.  RE: Windows ZenPack - Kerberos settings config file

Posted 15 days ago
Restarted Zenoss.core and serviced.  My incluedir now DOES reflect the parameter in zWinRMKrb5includedir but still also has the default:
includedir /opt/zenoss/var/krb5/config
includedir /var/zenoss/scripts/fred

Still no rdns though :(

Still getting "Server not found in Kerberos database" events.

Cheers,
Jane

------------------------------
Jane Curry
Skills 1st United Kingdom
jane.curry@skills-1st.co.uk
------------------------------