[ZBX-13770] zabbix server/proxy MUST be restarted after changing SNMPv3 host credential parameters - document that Created: 2018 Apr 19 Updated: 2024 Apr 10 Resolved: 2018 May 24 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Documentation (D) |
Affects Version/s: | None |
Fix Version/s: | 4.0 (plan) |
Type: | Problem report | Priority: | Major |
Reporter: | Oleksii Zagorskyi | Assignee: | Sergejs Paskevics |
Resolution: | Fixed | Votes: | 0 |
Labels: | cache, credentials, restart, snmpv3 | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Issue Links: |
|
||||||||||||||||
Team: | Team C | ||||||||||||||||
Sprint: | Sprint 32, Sprint 33, Sprint 34 |
Description |
This is connected to a Assume that I needed to change credentials (and/or AuthPriv params) for SNMPv3 devices in my network. I did it on devices side and in zabbix frontend too. So, what I observed when performed those tests: similarly to EngineBoot<->EngineID per-process (*poller) memory, the same is actual for credentials! Yes, each poller process *AFTER very first polling of a device (maybe key filed here is "Security name" with/without combination with EngineID - not tested. Later, below devs confirmed - EngineID involved too) - the process remembers "auth" data in library's cache and reuses it further. The picture visually gets very similar to a case, when you have duplicated EngineIDs in the network. Important detail:
without changing "Security name" - requires server/proxy daemons restart !!! I'd add a note to documentation about required server/proxy daemons restart. |
Comments |
Comment by Raymond Kuiper [ 2018 Apr 20 ] |
Good find! |
Comment by Sergejs Paskevics [ 2018 May 14 ] |
zabbix server generates a user with net-snmp library that make use of the User-based Security Model (USM) in SNMPv3. Authentication protocol, Authentication passphrase, Privacy protocol and Privacy passphrase are part of USM user data and they are cached in library for every EngineId the users. If there is an existing user for an EngineId and when zabbix try to open a new session with this user, net-snmp use the cached one. Necessary to clear the cached list of active users, but net-snmp API does not provide suitable function. |
Comment by Sergejs Paskevics [ 2018 May 14 ] |
(1) [D] Please, document that changes in "Authentication protocol", "Authentication passphrase", "Privacy protocol" and "Privacy passphrase" parameters (agent snmpv3) to take effect need to restart the server/proxy. martins-v Documented for 4.0 and other supported versions. Please review. s.paskevics I think OK. Thank you. CLOSED |
Comment by Oleksii Zagorskyi [ 2019 Nov 26 ] |
A few days ago I dived deep into net-snmp's code, regarding SNMPv3 AES256 support (remember - I'm not a developer) and after looking on that stuff, it looked to me too that mentioned function "free_etimelist()" is not related to generated "ku" (credential) caches. |