0

I have a Nagios host which is monitoring Windows servers using NRPE. One of the tasks is to remotely connect to a Windows Server, using NRPE, and run a Python script.

The python script simply checks the status of some backups. The Python scripts uses a module called 'win_unc' which is used to connect to a network share.

When I run the script directly and locally on the Windows Server it runs fine. When the script is called by NRPE remotely we get the following error: 

<class 'win_unc.errors.ShellCommandError'>
()
The command `NET USE "\\X.X.X.X\backups" "PasswordRemoved" /USER:"UserRemoved" /PERSISTENT:NO` exited with error code 2.

Is the issue because the Nagios box, calling the script, cannot run the 'NET USE...' command?

kafka
  • 547
  • 1
  • 15
  • 27

1 Answers1

1

I'm not aware of any reason why NRPE would have net use blocked. I would instead suspect the account NRPE is running under on the Windows box (probably Local System). Try creating a service account to run NRPE (preferably a Managed Service Account).

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
  • Yeah according to the documentation the script should be running on the Windows box as local user. One issue is that everytime the script is called it tries to mount the network drive, and then disconnect it. I've tried changing the logic so the drive is mapped persistently on the server, and then the script just connects to the unc location. However this is not working either and still returning the above error?! – kafka Mar 03 '16 at 11:05
  • 1
    I think this is it - I've re-written the Python script in Powershell and the script runs fine locally; when NRPE calls it we get file access errors. The NSClient runs as local system, so does not have permissions on the network, UNC share. I have even tried mounting the drives with a letter, and then referencing this in the script, but again still have issue of running fine locally; not running when called remotely. edit - will look at granting perms to the machine in question, we don't have a domain so not sure about MSA – kafka Mar 04 '16 at 13:07
  • Yeah, if you don't have a domain you won't be able to use a MSA. A local account that has a matching username/password on the remote server should also work. – Katherine Villyard Mar 04 '16 at 17:23
  • 1
    Newer version of NSClient++ has a function to run scripts both as other users and in other sessions. So it is possible to get the script to run in the session where the drive is mapped. That said, it is usually simpler to use the UNC path and make sure it is mapped and the user has access to it. – Michael Medin Mar 17 '16 at 08:22