Nagios is a popular monitoring system and its plugin architecture allows it to be easily expanded. The site http://www.nagiosexchange.org has a large number of Nagios plugins. Although there are a couple of plugins for testing the Kerberos KDC, there are no plugins to monitors the Kadmin daemon, so I wrote on and here it is.
The plugin can be downloaded from Monitoring Exchange or you can get the latest code from subversion. There are two files, check_kadmim.pl, which is the plugin and README which speaks for itself.
Start by copying check_kadmin.pl to your Nagios plugins directory, eg. /usr/lib/nagios/plugins.
Next create a Nagios command definition:
define command{
command_name check_kadmin
command_line /usr/lib/nagios/plugins/check_kadmin.pl -w 10 -u $ARG1$ -k $ARG2$ -r $ARG3$
}
Now create a service definition:
define service {
host_name server1
service_description Kadmin
check_command check_kadmin!user/admin@REALM.COM!/etc/user.keytab!REALM.COM
use generic-service
notification_interval 0
}
Make sure that the Kerberos realm exits in your krb5.conf for the realms that you want to monitor:
REALM.COM = {
kdc = server1.realm.com
admin_server = server1.realm.com
default_domain = realm.com
}
Now create an admin user and keytab to be used for checks:
kadmin.local: addprinc -randkey user/admin
ktadd -k /etc/user.keytab user/admin
Give user user minimal permissions in the kadm5.acl file:
user/admin@REALM.COM l
You should now be able to reload the Nagios config and hey presto!