Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How Can I Create an Admin Account on our OnPrem HF When I Only Have Admin Access from the Server's Backend?

lucilleddajab
Explorer
‎07-04-2024 11:03 PM

Hi All,

This is the first time I encountered this. I have an HF which I have admin access to Splunk, from the server's backend. However, I can't seem to login to the its web portal using my LDAP credentials (authentication is via LDAP). And the former admins of this instance had already left without leaving any documentation or handed over any account we can use.

Do you know how I can get around from the backend side in order for me to successfully login to the web portal eventually?

I have viewed the passwd file but it is hashed so I'm not sure where to look and what to do with the limited access I have. I also tried creating an account using a command from the the bin folder (splunk add user), however it asks me to authenticate first before completing it.

Any help is deeply appreciated!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-05-2024 07:19 AM

Hi

if you have access to this HF node then you can set local admin pass for splunk.

Just rename .../splunk/etc/passwd. Then create a new file into .../splunk/etc/system/local/user-seed.conf with the next content

[user_info]
USERNAME = admin
PASSWORD = YourPassWdHere

Then just restart your splunk instance.

Then use next URL to login  "<your HF base url>/en-US/account/login?loginType=splunk"

This use splunk's internal login method instead of LDAP / SAML etc. 

Then just add your previously added admin + pass and you are in.

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-06-2024 03:58 AM

Your explanation is a little confusing as people already pointed out. What does "server's backend" mean in this context? You probably mean that you can access the machine on which the HF is running and log in to either shell session or local/remote desktop session depending on what OS type we're talking about. These are completely separate credentials from Splunk's own authentication. That's first thing.

Secondly, you're saying that you use LDAP-based authentication. That might be true but usually external authentication methods are only used on SH-tier. Normal users don't typically access other environment components so other access than built-in admin account is usually not needed.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-05-2024 07:19 AM

Hi

if you have access to this HF node then you can set local admin pass for splunk.

Just rename .../splunk/etc/passwd. Then create a new file into .../splunk/etc/system/local/user-seed.conf with the next content

[user_info]
USERNAME = admin
PASSWORD = YourPassWdHere

Then just restart your splunk instance.

Then use next URL to login  "<your HF base url>/en-US/account/login?loginType=splunk"

This use splunk's internal login method instead of LDAP / SAML etc. 

Then just add your previously added admin + pass and you are in.

r. Ismo

Reply
Solved! Jump to solution

lucilleddajab
Explorer
‎07-07-2024 11:47 PM

Thank you! This solved my problem!

0 Karma
Reply
Solved! Jump to solution

shivanshu1593
Builder
‎07-05-2024 06:44 AM

It seems like you need to request your AD team to provide you access to the AD group which governs the authentication to your HF. Then you will be able to login. No need to change anything from the backend.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution

lucilleddajab
Explorer
‎07-08-2024 01:15 AM

Yes, this is the long term solution, I reckon. But it appears the AD team doesn't seem to know what's going on when I first escalated this to them. I'm fairly new to the team so I might need to investigate further.

But as of now, I have been able to login through the help of isoutamo's answer (see accepted solution). It turns out all the user accounts have all been wiped out by the previous admins when I checked on the list of active users.

All good now. Thanks !!!

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-08-2024 02:24 AM

As I wrote before - there's a good chance that your HFs don't use AD for authentication and authorization. In typical scenarios it's not needed.

You might check

/opt/splunk/bin/splunk btool authentication list authentication

To see what authentication mechanism is your HF using

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-04-2024 11:20 PM

Hi @lucilleddajab ,

let me understand: you have problems to access Splunk or the OS?

if Splunk, you can reset the admin password, but you said that you already have this password.

If you don't have the OS password, you have to ask to yor network or systems administrators to reset this password.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...