topic Re: User accounts in Security

User accounts

marg224 — Mon, 10 Feb 2014 15:50:53 GMT

I've tried to research this issue on my own, but, to no avail and I'm I'm at my wits end.

Every so often, all my user accounts, with the exception of Admin, disappear. I'm admin and I am not deleting them. Most of the users have power user role, or, just plain user.

If anyone has any ideas I'd appreciate it greatly.

Thanks in advance.

Re: User accounts

bosburn_splunk — Mon, 10 Feb 2014 16:11:59 GMT

Can you provide a little more information? Are you using LDAP or the Splunk authentication? What Version of Splunk? What OS?

Re: User accounts

marg224 — Mon, 10 Feb 2014 17:07:57 GMT

I'm using Splunk 5.05.

Not using LDAP.

Solaris 10 OS.

I'm the only one with admin access, all other users have power.

I'm the only one with root access.

Thanks!

Re: User accounts

somesoni2 — Mon, 10 Feb 2014 18:07:11 GMT

Try running this query which provides list of deleted users, along with who deleted it. See if it helps in your investigation.

index=_internal sourcetype=splunkd_access uri_path="*authentication/users*"
method="DELETE" | rename file as user_deleted user as deleted_by, _time as time_deleted | table user_deleted, time_deleted, deleted_by

Re: User accounts

marg224 — Mon, 10 Feb 2014 20:34:02 GMT

Thanks somesoni2 - I ran the query you suggested to no avail. Any other suggestions?

Thanks to all in advance.

Re: User accounts

marg224 — Mon, 10 Feb 2014 20:35:30 GMT

Thanks somesoni2 - I ran the query you suggested to no avail. Any other suggestions?Thanks to all in advance.M.

Re: User accounts

bosburn_splunk — Mon, 10 Feb 2014 20:37:17 GMT

I'm assuming you have an enterprise license.

That being said, make sure that the $SPLUNK_HOME/etc/passwd is readable by the user running Splunk.

Re: User accounts

somesoni2 — Mon, 10 Feb 2014 20:39:55 GMT

Hope you're running with proper timeframe selected. Also, check the content of following file. splunk/etc/passwd. This file contains all the user information. Check if there is any program/script deleting this file.

Re: User accounts

marg224 — Mon, 28 Sep 2020 15:51:10 GMT

bosburn_splunk; thanks. I checked and yes, $Splunk_HOME/etc/passwd is readable by the user running Splunk (root) on our Enterprize install. Anything else you can suggest? Thanks so much.

Re: User accounts

marg224 — Thu, 04 Sep 2014 16:35:59 GMT

Found the answer myself...seems someone else was resetting the admin password, BUT not saving off the users files, so, that when the new admin password was used, there were no user accounts. Solved by copying the .ini file, and, restoring it when the admin password was reset. Did not find this solution listed anywhere or in the documents. It would have been nice to know. Anyway, such as it is, it's no longer a mystery and thanks to all who offered up answers!

Re: User accounts

walker_liu — Wed, 18 Oct 2017 08:57:01 GMT

Hi, could I know the exactly filename you copy and restore? Because I only saw user.ini but it's empty before/after I reset admin password.