Installation

How Can I Create an Admin Account on our OnPrem HF When I Only Have Admin Access from the Server's Backend?

lucilleddajab
Explorer

Hi All,

This is the first time I encountered this. I have an HF which I have admin access to Splunk, from the server's backend. However, I can't seem to login to the its web portal using my LDAP credentials (authentication is via LDAP). And the former admins of this instance had already left without leaving any documentation or handed over any account we can use.

Do you know how I can get around from the backend side in order for me to successfully login to the web portal eventually?

I have viewed the passwd file but it is hashed so I'm not sure where to look and what to do with the limited access I have. I also tried creating an account using a command from the the bin folder (splunk add user), however it asks me to authenticate first before completing it.

Any help is deeply appreciated!

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

if you have access to this HF node then you can set local admin pass for splunk.

Just rename .../splunk/etc/passwd. Then create a new file into .../splunk/etc/system/local/user-seed.conf with the next content

[user_info]
USERNAME = admin
PASSWORD = YourPassWdHere

Then just restart your splunk instance.

Then use next URL to login  "<your HF base url>/en-US/account/login?loginType=splunk"

This use splunk's internal login method instead of LDAP / SAML etc. 

Then just add your previously added admin + pass and you are in.

r. Ismo

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

Your explanation is a little confusing as people already pointed out. What does "server's backend" mean in this context? You probably mean that you can access the machine on which the HF is running and log in to either shell session or local/remote desktop session depending on what OS type we're talking about. These are completely separate credentials from Splunk's own authentication. That's first thing.

Secondly, you're saying that you use LDAP-based authentication. That might be true but usually external authentication methods are only used on SH-tier. Normal users don't typically access other environment components so other access than built-in admin account is usually not needed.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

if you have access to this HF node then you can set local admin pass for splunk.

Just rename .../splunk/etc/passwd. Then create a new file into .../splunk/etc/system/local/user-seed.conf with the next content

[user_info]
USERNAME = admin
PASSWORD = YourPassWdHere

Then just restart your splunk instance.

Then use next URL to login  "<your HF base url>/en-US/account/login?loginType=splunk"

This use splunk's internal login method instead of LDAP / SAML etc. 

Then just add your previously added admin + pass and you are in.

r. Ismo

lucilleddajab
Explorer

Thank you! This solved my problem!

0 Karma

shivanshu1593
Builder

It seems like you need to request your AD team to provide you access to the AD group which governs the authentication to your HF. Then you will be able to login. No need to change anything from the backend.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

lucilleddajab
Explorer

Yes, this is the long term solution, I reckon. But it appears the AD team doesn't seem to know what's going on when I first escalated this to them. I'm fairly new to the team so I might need to investigate further.

But as of now, I have been able to login through the help of isoutamo's answer (see accepted solution). It turns out all the user accounts have all been wiped out by the previous admins when I checked on the list of active users.

All good now. Thanks !!!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

As I wrote before - there's a good chance that your HFs don't use AD for authentication and authorization. In typical scenarios it's not needed.

You might check

/opt/splunk/bin/splunk btool authentication list authentication

To see what authentication mechanism is your HF using

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @lucilleddajab ,

let me understand: you have problems to access Splunk or the OS?

if Splunk, you can reset the admin password, but you said that you already have this password.

If you don't have the OS password, you have to ask to yor network or systems administrators to reset this password.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...