topic Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap in Splunk Dev

No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap use

jemina — Sun, 17 Apr 2022 09:43:28 GMT

Assistance/advice greatly appreciated;

I am able to login to splunk web with a Splunk Native user, but via a perl script I get an unauhorized response

Excerpt from perl script :

$post = $ua->post(
"https://prod-forwardermanagement-splunk-vip.xxxx.uk:8089/servicesNS/$app/auth/login",
Content => "username=$username&password=$password"
);

This is the response:

<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Unauthorized</msg>
</messages>
</response>

Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap

mcmaster — Mon, 18 Apr 2022 15:47:56 GMT

Hi @jemina,

To use the endpoints with /servicesNS/ you need to specify an app AND a user. For login, you can just use /services/auth/login but you could also try /servicesNS/$username/$app/auth/login or even /servicesNS/-/$app/auth/login.

Try those out and see if they work.

Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap

jemina — Mon, 18 Apr 2022 16:11:21 GMT

Thanks for response,

I am actually testing using the following:

curl -k -u splunkuser:password https://prod-forwardermanagement-splunk.xxxxx.co.uk:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search sourcetype=dp_prod"

It always returns unauthorized for the Splunk Native User (with admin role). No sessionkey is returned. If I try my Active Directory user, the results SID is returned.

Is there anything specific I need to do a Splunk Native user?

Thanks

Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap

mcmaster — Mon, 18 Apr 2022 17:35:07 GMT

I'm able to use that same command with a Splunk local user on my test instance, so I don't know if that's the issue. I assume you're able to login as the local user and run the search interactively, right?

Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap

jemina — Mon, 18 Apr 2022 17:51:17 GMT

Hi,

Yes, I am able to login to my splunk instance using the same credentials. I just wondered if there might be an overarching config parameter which might preclude Splunk Native users from the admin role.

Thanks

Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap

mcmaster — Mon, 18 Apr 2022 18:04:24 GMT

There's no restriction there but that was my next question - are you able to verify the permissions on the local user to ensure they have all the same permissions as the AD user? Also since you're passing the password in the curl command, make sure there aren't any special characters in the password that the shell might be interpreting.

As a test, any user should be able to query this REST endpoint, so that would help you eliminate password issues:

curl -k -u user:temp1234 https://localhost:8089/services/authentication/current-context

If that command fails, there's an issue with the credentials you're providing.

Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap

jemina — Mon, 18 Apr 2022 19:09:26 GMT

Hi again,

I also get an unauthorized error message returned for https://......./services/authentication/current-context.

The credentials do not contain any special characters.

I am definitely using correct user/password combination, so a little confused as the user works fine via the browser.

Please are you able to point me a splunk log file might help me understand this issue.

Thanks

Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap

mcmaster — Mon, 18 Apr 2022 19:22:08 GMT

You can look for AuthenticationManagerSplunk in $SPLUNK_HOME/var/log/splunk/splunkd.log or you can search "index=_internal sourcetype=splunkd component=AuthenticationManagerSplunk".

This is what those logs look like for me with an incorrect password:

04-18-2022 15:19:57.814 -0400 WARN AuthenticationManagerSplunk [315578 TcpChannelThread] - Login failed. Incorrect login for user: user
04-18-2022 15:19:57.816 -0400 WARN AuthenticationManagerSplunk [315578 TcpChannelThread] - Login: user user attempted login with incorrect password. Login attempt=1

Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap

jemina — Mon, 18 Apr 2022 19:54:27 GMT

Thanks for that,

I can see the following errors when I the restapi call: (strange , this user is a splunk native user.)

1 - ERROR UserManagerPro - LDAP Login failed, could not find a valid user="monitoruser" on any configured servers

2 - INFO AuthenticationManagerLDAP - Could not find user="monitoruser" with strategy="SplunkAdmin"

Re: No authorizatiion for Splunk native user with admin role from perl script restapi search, same script works for ldap

mcmaster — Mon, 18 Apr 2022 20:02:23 GMT

That's normal, as Splunk will try any configured LDAP servers first before trying local users. Are there any other logs for that user?