That's me again.
Now it's a runtime problem. =)
All the graphs are OK when you log on to cacti from localhost. But If you log in remotely no graphs are populated, just "broken links".
Is it an IIS problem?
no graphs when log in remotely
Moderators: Developers, Moderators
no graphs when log in remotely
- Attachments
-
- broken.links.PNG (12.9 KiB) Viewed 3009 times
Please read the steps in http://forums.cacti.net/viewtopic.php?t=11747 , specifically what the graph debug says.
| Scripts: Monitor processes | RFC1213 MIB | DOCSIS Stats | Dell PowerEdge | Speedfan | APC UPS | DOCSIS CMTS | 3ware | Motorola Canopy |
| Guides: Windows Install | [HOWTO] Debug Windows NTFS permission problems |
| Tools: Windows All-in-one Installer |
OK, I've found the source of the problem. Here it goes.
RRDTool debug says:
"Warning: fgets(): supplied argument is not a valid stream resource in C:\Inetpub\wwwroot\cacti\lib\rrd.php on line 117"
In this line "fgets" tries to open "rrdtool.exe". I've checked permissions for rrdtool folder. Everything was fine and according to the guide.
Then i tried "filemon" and found that whenever rrdtool tries to graph the image w3wp.exe tries to open cmd.exe. And access is denied. But the thing is that w3wp.exe tries to open it using the domain credentials of the user who tries to view the graphs remotely. Not Internet Guest Account and not LOCAL SYSTEM account!!! Of course this user has no rights to cmd.exe. If I add permissions manually then everything goes fine and i see the graphs.
What this behavior comes from and how to work around it? Any ideas?
RRDTool debug says:
"Warning: fgets(): supplied argument is not a valid stream resource in C:\Inetpub\wwwroot\cacti\lib\rrd.php on line 117"
In this line "fgets" tries to open "rrdtool.exe". I've checked permissions for rrdtool folder. Everything was fine and according to the guide.
Then i tried "filemon" and found that whenever rrdtool tries to graph the image w3wp.exe tries to open cmd.exe. And access is denied. But the thing is that w3wp.exe tries to open it using the domain credentials of the user who tries to view the graphs remotely. Not Internet Guest Account and not LOCAL SYSTEM account!!! Of course this user has no rights to cmd.exe. If I add permissions manually then everything goes fine and i see the graphs.
What this behavior comes from and how to work around it? Any ideas?
- Attachments
-
- w3wp.PNG (5.39 KiB) Viewed 2994 times
Last edited by airwalk on Wed Sep 06, 2006 5:37 am, edited 2 times in total.
-
grumpf-dream
- Posts: 14
- Joined: Wed Sep 06, 2006 12:59 am
"cmd.exe" is strictly local file as it should be used only by local processes(like "w3wp.exe" in my case). so by default only local users may have access to it.grumpf-dream wrote:maybe you got a domain policy (gpo) blocking acces to cmd.exe for basics users?
Even if i had such gpo then it should have overrided my local policy. But it isn't.
You enabled interactive user authentication in IIS?
Have you given the IUSR account read/execute rights on cmd.exe/rrdtool.exe ?
Have you given the IUSR account read/execute rights on cmd.exe/rrdtool.exe ?
| Scripts: Monitor processes | RFC1213 MIB | DOCSIS Stats | Dell PowerEdge | Speedfan | APC UPS | DOCSIS CMTS | 3ware | Motorola Canopy |
| Guides: Windows Install | [HOWTO] Debug Windows NTFS permission problems |
| Tools: Windows All-in-one Installer |
Yes, I've enabled Integrated Windows authentication in IIS. So the solution to work around the problem was that I'd enabled anonymous access using IUSR account. But is it really a good solution?BSOD2600 wrote:You enabled interactive user authentication in IIS?
Have you given the IUSR account read/execute rights on cmd.exe/rrdtool.exe ?
Is there any way to stick to windows auth additionally? As far as I understand the same problem will arise if I would use LDAP authentication in cacti.
Thats the standard practice, as far as I've read/heard online. If you want to try and set up IIS so each authenticated domain user runs cmd.exe/rrdtool.exe, among with all the other needed files, good luck. If you don't like the IIS security, then you could also go the Apache route.airwalk wrote:So the solution to work around the problem was that I'd enabled anonymous access using IUSR account. But is it really a good solution?
| Scripts: Monitor processes | RFC1213 MIB | DOCSIS Stats | Dell PowerEdge | Speedfan | APC UPS | DOCSIS CMTS | 3ware | Motorola Canopy |
| Guides: Windows Install | [HOWTO] Debug Windows NTFS permission problems |
| Tools: Windows All-in-one Installer |
I wish I could...BSOD2600 wrote: Thats the standard practice, as far as I've read/heard online. If you want to try and set up IIS so each authenticated domain user runs cmd.exe/rrdtool.exe, among with all the other needed files, good luck. If you don't like the IIS security, then you could also go the Apache route.
Who is online
Users browsing this forum: No registered users and 4 guests