Getting Data In

Trouble authenticating ALL Active Directory users

dustinhartje
Explorer

I'd like to open my Splunk system up to all of our AD users rather than mapping particular groups as we've in the past. I've been trying to accomplish this by mapping the built in Domain Users group but I can't seem to get it to show up in the mapping screen. I do get the Domain Admins and Domain Guests which are in the same OU/Container just not Domain Users. Here is my current authentication.conf (some names changed to protect the innocent)

[authentication]
authSettings = Active Directory
authType = LDAP

[roleMap_Active Directory]
admin = Splunk Admins
managers = Splunk Managers
power = SysAdmins;Splunk Power Users
user = SysAdmins;Splunk Power Users;Splunk Users

[Active Directory]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = account@our.domain.net
bindDNpassword = $1$AoUBf6Io02h4
charset = utf8
groupBaseDN = OU=CustomGroupOU1,DC=our,DC=domain,DC=net;OU=Groups,OU=CustomGroupOU2,DC=our,DC=domain,DC=net;CN=Users,DC=our,DC=domain,DC=net
groupBaseFilter = (|(cn=IT*)(cn=Splunk*)(cn=Domain*))
#groupMappingAttribute = dn
groupMappingAttribute = distinguishedname
groupMemberAttribute = member
#groupNameAttribute = cn
groupNameAttribute = name
host = our.domain.net
nestedGroups = 0
network_timeout = 29
port = 389
realNameAttribute = cn
sizelimit = 100000
timelimit = 28
userBaseDN = OU=CustomUserOU,DC=our,DC=domain,DC=net;CN=Users,DC=our,DC=domain,DC=net
userNameAttribute = samaccountname

I really don't have any AD management experience so I suspect I'm misunderstanding something here, any help would be greatly appreciated!

Tags (1)
0 Karma

dtsariapkin
Splunk Employee
Splunk Employee

I know this is a post from 2013. But I thought that might help someone. I was doing a lab with MS AD myself. I noticed the very same behaviour for 'Domain Users' group. 

The problem comes from the implementation of the Microsoft AD. Due to the fact that Domain Users is something called 'Primary Group' 

The Domain Users group uses a "computed" mechanism based on the "primary group ID" of the user to determine membership and does not typically store members as multi-valued linked attributes. If the primary group of the user is changed, their membership in the Domain Users group is written to the linked attribute for the group and is no longer calculated. This was true for Windows 2000 and has not changed for Windows Server 2003.

Full discussion can be found here: 
More info in detail can be read here: https://stackoverflow.com/questions/525021/domain-users-group-is-empty-when-i-use-directoryservices-...

0 Karma

pwmcity
Path Finder

Did you by chance figure this out? I'm trying to add 'Domain Users' but can't seem to get Splunk to find it.
I'm told it lives in "CN=Users,DC=our,DC=domain,DC=net" ... but still no go!

0 Karma

ShaneNewman
Motivator

If you are trying to map roles via AD, which is what I see, you will need to create a new OU that contains all Splunk users not in the other 2 OU's. Splunk is not very great at AD...

0 Karma

ShaneNewman
Motivator

That "user role" will override your admin role.

0 Karma

dustinhartje
Explorer

What I'm really aiming for is to have all AD users automatically get "user role" access without needing to add them to a specific group.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!