Archive

Why only local accounts remained on the SHs?

Ultra Champion

We had this morning a big commotion when only the local accounts remained on the SHs. Pushing the SH cluster configs from the deployment server seemed to fix it.

Any ideas what it might have been?

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

Are you using SAML or LDAP for authentication? There are some behaviors with account enumeration with both of these that could potentially see accounts disappear (but their folders on disk should persist.)

0 Karma

SplunkTrust
SplunkTrust

I wonder if AD somehow hiccuped and told splunk no one was authorized?

0 Karma

Ultra Champion

Right, we do have occasional AD hiccups which result usually only in temporary disabled access, but in this case, the user accounts seemed to disappear from the SHs... does it make any sense?

0 Karma

SplunkTrust
SplunkTrust

Basically, if AD reports that no one is authorized, then their AD-generated accounts will disappear, and their scheduled searches will show as orphaned until the accounts catch back up. Does that match the symptoms?

0 Karma