Deployment Architecture

How to fix "Encountered the following error while trying to update: In handler 'users': Could not get info for role that does not exist: dbx_user"?

glancaster
Path Finder

Just posting this for others who may come across this issue,

I got the following banner message every time I tried to modify an account locally to for testing purposes:

Encountered the following error while trying to update: In handler 'users': Could not get info for role that does not exist: dbx_user

I removed the DBX app prior to this error. I removed all references of the dbx_user role from authorization.conf and authentication.conf, but the issue still persisted. I also found the app in SPLUNK_HOME/etc/disabled-apps and $SPLUNK_HOME/etc/saved apps and removed them both as I no longer needed this app .

Running grep -R dbx_user $SPLUNK_HOME/etc/

I found a reference to the dbx_user role in the $SPLUNK_HOME/etc/passwd file and removed it.

I can now manage local accounts again without the error hanging me up 🙂

Running Splunk 6.2.2 with SHC

1 Solution

glancaster
Path Finder

Once assigning a role to a local user, Splunk seems to assign that role to the user in the passwd file as well. If you remove that role you will most likely receive the same error stated in the title of this post.

Edit the passwd file in $SPLUNK_HOME/etc/ and remove all occurrences of the role mentioned in the error within the file and restart Splunk.

Hope this helps!

View solution in original post

cblanton
Communicator

I encountered this error after connecting LDAP. Splunk added the role "exchange-admin" to the admin profile, but this role did not exist. I created a role with the same name and the issue was resolved.

0 Karma

okunc
New Member

I've been also facing similar issue [AuthenticationManagerSplunk - Could not get roles for user that does not exist] while everything was setup fine. The only missing thing was to register the Splunk license and then it's working - in such scenario the error message is a bit misleading.

So just FYI the LDAP auth with Splunk Enterprise Trial [can't verify any other flavors now] is not working until you license the indexer properly.

0 Karma

mcxrisley08
Path Finder

I recently had this issue as well and removing the role from the passwd file in the Splunk home directory fixed the issue. In my case it was looking for the "windows-admin" role, which was not listed in the available roles. This problem prevented me from creating accounts, editing accounts and creating roles. I noticed that one of my other indexes that was recently rebuilt has that role as well but it has no issues, so I'm assuming that this a default role when Splunk is setup and it somehow got removed from the roles on my other index.

0 Karma

aoleske
Path Finder

I know this is really late, but if someone new has this issue, hopefully this can help. (We just had it as well.) The issue for us was LDAP. Splunk and LDAP were not talking correctly, so it literally "Could not get info for role that does not exist." In our case, we had set up a SplunkAdmin account within LDAP, and added the various users to it. Splunk actually showed the accounts under Settings --> Access controls --> authentication method --> LDAP Settings --> , Map groups but when we tried to login or add a new user, we could not. We discovered that the part of the LDAP search tree we had defined in Splunk when configuring splunk authentication did not actually contain the user accounts in LDAP. Our solution was to back up one level in the Splunk LDAP tree definition. This searched ALL the LDAP directories and found the various accounts.

0 Karma

saikatr
Path Finder

If you have another user (admin) who does not have the same role assigned (dbx_user in your case), you can ask that user to go to the Access controls console and delete the particular role from your account. The role may not be visible to you but its visible to other users if they look at your account. This will help you save the trouble of modifying the passwd file.

0 Karma

glancaster
Path Finder

Once assigning a role to a local user, Splunk seems to assign that role to the user in the passwd file as well. If you remove that role you will most likely receive the same error stated in the title of this post.

Edit the passwd file in $SPLUNK_HOME/etc/ and remove all occurrences of the role mentioned in the error within the file and restart Splunk.

Hope this helps!

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...