Kerberos support for active checks (SMBCLIENT and HTTP)
In modern and secure environments, NTLM is no longer supported in some cases; therefore, support for Kerberos authentication is an important component.
The SMBCLIENT check would technically support Kerberos; however, there is currently no support for this in CheckMK. For the CheckMK appliance, we would need support to, for example, implement a keytab file and enable Kerberos authentication for checks such as SMBCLIENT and HTTP.
Comments: 3
Oldest
•
Newest
•
Most likes
•
Fewest likes
-
02 Dec, '25
Pietro RHighlighted comment
Good morning,
I am here because Bash Curl has a --negotiate switch of which the behavior can't be replicated in the new http_check
I would love such a switch to be present, for now... I'll resort to writing a local check! -
26 May, '25
MarioI tried several things, and the smclient check works out of the box with Kerberos authentication. I only had to adjust the /etc/krb5.conf accordingly and use the UPN for authentication.
For all those using an appliance, it would be great if the Kerberos configuration could be set up via the web interface.
[libdefaults]
default_realm = DOMAINNAME.TLD
dns_lookup_relam = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
clockskew = 300
[realms]
DOMAINNAME.TLD = {
kdc = kdc1.domainname.tld
kdc = kdc2.domainname.tld
admin_server = kdc1.domainname.tld
default_domain = DOMAINNAME.TLD
}
[domain_realm]
domainname.tld = DOMAINNAME.TLD
.domainname.tld = DOMAINNAME.TLD -
26 May, '25
MarioThe curl command also supports Kerberos authentication; however, the implemented check_httpv2 command only supports Basic and Token authentication.
Would it be possible to add support for Kerberos authentication here as well?
With curl, Kerberos authentication can be used as follows:
curl --negotiate -u sAMAccountName@domainname.tld:password https://servername.tld --verbose # uses a user account
curl --negotiate -u : https://domainname.tld --verbose # uses the computer account