Installation with gMSA/MSA

bzam · ‎05-21-2018

I'm attempting to run a Splunk Forwarder installation with parameters that specify the LOGON_USERNAME with a managed service account. The command line is as follows:

msiexec.exe /i splunkforwarder-7.0.3-fa31da744b51-x64-release.msi /l*v D:\splunk_install.log /qr AGREETOLICENSE=Yes INSTALLDIR="D:\SplunkUniversalForwarder"  SPLUNK_PASSWORD="secret" SET_ADMIN_USER=0 LOGON_USERNAME="domain\gmsa_splunk$" LOGON_PASSWORD="" DEPLOYMENT_SERVER="ds:8089"

It appears that the installation is completing, but fails at the service start up...at which point the installation completely rolls back. Since MSAs manage their own passwords, i've attempted to exclude the LOGON_PASSWORD option, as well as specifying an empty string, but the results are the same.

This error is generated in the install log:

MSI (s) (98:C8) [15:41:24:855]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSID935.tmp, Entrypoint: StartSplunkServiceCA
StartSplunkService:  Warning: Invalid property ignored: FailCA=.
StartSplunkService:  Info: Properties: splunkHome: D:\SplunkUniversalForwarder, svcName: SplunkForwarder, launch splunk: 1.
StartSplunkService:  Info: Enter.
StartSplunkService:  Info: service SplunkForwarder already exists
StartSplunkService:  Info: Leave.
StartSplunkService:  Info: Enter. Args: "D:\SplunkUniversalForwarder\bin\splunk.exe", start --answer-yes --no-prompt --accept-license --auto-ports
StartSplunkService:  Info: Execute string: cmd.exe /c ""D:\SplunkUniversalForwarder\bin\splunk.exe" start --answer-yes --no-prompt --accept-license --auto-ports >> "C:\Users\user\AppData\Local\Temp\splunk.log" 2>&1"
StartSplunkService:  Info: WaitForSingleObject returned : 0x0
StartSplunkService:  Info: Exit code for process : 0x4
StartSplunkService:  Info: Leave.
StartSplunkService:  Error: ExecCmd failed: 0x4.
StartSplunkService:  Error 0x80004005: Cannot start splunkd service.

Does anyone know if it's possible to install Splunk in this manner? Installing as Local System, and updating the service to start as the MSA works fine, but wanted to try and configure this in one shot.

Thanks for any ideas here!

michaelissartel · ‎03-23-2020

Hi, @davidjohnbeckettorb splunkd with gMSA working here.

Quite old question...

davidjohnbecket · ‎06-29-2018

Did anyone get the splunkd service working with a gMSA?

Even if i configure it manually, i get permissions issues running the services.

In addition the DBConnect addon fails to start...

Any ideas?

xpac · ‎05-22-2018

Do I get this right?
You want to install Splunk UF with a certain service account, but without using that account's password?
Also, what is a MSA?

bzam · ‎05-29-2018

Just some additional detail on this...the issue I was having above was related to testing on a Windows 7 machine. I have been able to install the Splunk forwarder using command line arguments, but since i specified a password of 'empty string', the services wouldn't come up. I ended up resetting the services logon settings for the user and was able to successfully start the services.

bzam · ‎05-22-2018

There are some details here:

http://docs.splunk.com/Documentation/Splunk/7.1.0/Installation/ChoosetheuserSplunkshouldrunas

But, yes, managed service accounts create and maintain their own passwords, so there isn't a need to provide one via the command line.

xpac · ‎05-22-2018

Mh, never heard of that, but I'm also not really a Windows admin guy, so thanks for the update 🙂

Installation with gMSA/MSA

other

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?