From 6c40feaf9d9c317e979145c3ac1a3ad5f2b07e86 Mon Sep 17 00:00:00 2001
From: Stephane Lapie <stephane.lapie@asahinet.com>
Date: Fri, 5 Feb 2016 15:55:15 +0900
Subject: [PATCH] Added Kerberos support (depending on Authen::Krb5)

---
 plugins-scripts/Nagios/DBD/MSSQL/Server.pm | 11 ++++++++++-
 plugins-scripts/check_mssql_health.pl      | 20 ++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/plugins-scripts/Nagios/DBD/MSSQL/Server.pm b/plugins-scripts/Nagios/DBD/MSSQL/Server.pm
index 2ce480b..5b23e9d 100644
--- a/plugins-scripts/Nagios/DBD/MSSQL/Server.pm
+++ b/plugins-scripts/Nagios/DBD/MSSQL/Server.pm
@@ -40,6 +40,7 @@ sub new {
     hostname => $params{hostname},
     username => $params{username},
     password => $params{password},
+    kerberos => $params{kerberos},
     port => $params{port} || 1433,
     server => $params{server},
     timeout => $params{timeout},
@@ -1416,6 +1417,7 @@ sub init {
   my $self = shift;
   my %params = @_;
   my $retval = undef;
+  my $driver = "Sybase:";
   if ($self->{mode} =~ /^server::tnsping/) {
     # erstmal reserviert fuer irgendeinen tcp-connect
     if (! $self->{connect}) {
@@ -1432,13 +1434,20 @@ sub init {
       return undef;
     }
     $self->{dbi_options} = { RaiseError => 1, AutoCommit => $self->{commit}, PrintError => 1 };
-    $self->{dsn} = "DBI:Sybase:";
+    if ($params{kerberos}) {
+      # Kerberos only supported by the SQL native client
+      $driver = "ODBC:driver=SQL Server Native Client 11.0";
+    }
+    $self->{dsn} = "DBI:$driver";
     if ($self->{hostname}) {
       $self->{dsn} .= sprintf ";host=%s", $self->{hostname};
       $self->{dsn} .= sprintf ";port=%s", $self->{port};
     } else {
       $self->{dsn} .= sprintf ";server=%s", $self->{server};
     }
+    if ($params{kerberos}) {
+      $self->{dsn} .= ";Trusted_Connection=yes";
+    }
     if ($params{currentdb}) {
       if (index($params{currentdb},"-") != -1) {
         $self->{dsn} .= sprintf ";database=\"%s\"", $params{currentdb};
diff --git a/plugins-scripts/check_mssql_health.pl b/plugins-scripts/check_mssql_health.pl
index ac3562c..303f3e9 100644
--- a/plugins-scripts/check_mssql_health.pl
+++ b/plugins-scripts/check_mssql_health.pl
@@ -180,6 +180,9 @@ ()
        the mssql user
     --password
        the mssql user's password
+    --kerberos
+       where applicable, the Kerberos realm for authentication
+       (this will switch to the ODBC driver!)
     --warning
        the warning range
     --critical
@@ -294,6 +297,7 @@ ($$)
     "hostname=s",
     "username=s",
     "password=s",
+    "kerberos=s",
     "port=i",
     "server=s",
     "currentdb=s",
@@ -554,6 +558,21 @@ ($$)
   exit 3;
 }
 
+# Kerberos environment initialization
+if ($commandline{kerberos}) {
+  use Authen::Krb5;
+  my $krb_context=Authen::Krb5::init_context();
+  my $krb_userp=Authen::Krb5::parse_name($commandline{username});
+  my $krb_credcache=Authen::Krb5::cc_default();
+  my $krb_servicep=Authen::Krb5::build_principal_ext(Authen::Krb5::parse_name("krbtgt"));
+
+  my $kerberos_result = Authen::Krb5::get_in_tkt_with_password($krb_userp, $krb_servicep, $commandline{password}, $krb_credcache);
+  if (! $kerberos_result) {
+    printf "UNKNOWN - Kerberos authentication failed for user ".$commandline{username}.": ".Authen::Krb5::error()."\n";
+    exit 3;
+  }
+}
+
 my %params = (
     timeout => $TIMEOUT,
     mode => (
@@ -576,6 +595,7 @@ ($$)
     password => $commandline{password} || 
         $ENV{NAGIOS__SERVICEMSSQL_PASS} ||
         $ENV{NAGIOS__HOSTMSSQL_PASS},
+    kerberos => $commandline{kerberos},
     port => $commandline{port} || 
         $ENV{NAGIOS__SERVICEMSSQL_PORT} ||
         $ENV{NAGIOS__HOSTMSSQL_PORT},