Hi,
our splunk universal forwarder is runnning under a non-root service account, which is defined in our central ldap.
We upgraded our universal forwarder from 7.3.7 to 8.0.5 and now our forwarder cannot monitor our file anymore.
The file to be monitored is set as following:
#ls -al /tmp/ldap-group-test
-rw-r-----. 1 root ldapgroup 100 Sep 1 09:27 /tmp/ldap-group-test
Our splunk service account user is a member of the group ldapgroup:
#id ldapsplunk
uid=100007(ldapsplunk) gid=100008(ldapsplunkgroup) groups=100008(ldapsplunkgroup),100009(ldapgroup)
In Splunk with a universal forwarder in version 8.0.5 we get a permission denied.
If we use a scripted input (inputs.conf) to display the user and group context of the currently running splunk forwarder session:
bin/display_groups.sh
#/bin/bash
hostname=$(hostname)
time=$(date +%s)
id=$(id)
rc=$?
echo "${time} - ${hostname} - ${id} - ${rc}"
we get as output:
1598967093 - splunkhost.bla.fasel.de - uid=100007(ldapsplunk) gid=100008(ldapsplunkgroup) groups=100008(ldapsplunkgroup) context=system_u:system_r:unconfined_service_t:s0 - 0
As you can see, the membership of ldapgroup is missing here.
It seems that during the start process of the universal forwarder, the permissions for ldap groups aren't passed correctly.
Has anyone already noticed this? Are there any workarounds other than downgrading to version 7.3?
Thanks
- Lorenz
I have tested your scenario, my splunk is running with user splunk and group splunk
I have created a new group added user to new group also.
I have created test.sh with code you shared.
when I ran test.sh using splunk cmd bash test.sh
I can see old group and new group.
I don't that is an issue with Splunk.
Hi,
local groups are working for me as well. The problem is only with groups from ldap.
Did you try with ldap groups?
And: Did you really try to run my script as a real scripted input via inputs.conf and not over regular cli?
- Lorenz