Re: A user seems to not exist- Anyone encounter su...

PickleRick · ‎10-12-2022

I've stumbled today on a strange thing. It started out with a case about user hitting quota limits. But when I dug into that deeper it turned out that the user doesn't show in the system.

It's not displayed in the UI, it doesn't show in the REST output of /services/authentication/users

But it is defined in etc/passwd so it can log in. And it has KOs created and assigned to it (most importantly in my case - scheduled searches). It has a role assigned in etc/passwd and it seems that that role is properly enforced (hence the quota limitations).

Anyone encountered such thing? How could such user have been "lost"?

isoutamo · ‎10-12-2022

Hi

i have had same situation on one client’s environment. The reason was that there was several inherited roles which has opposite capabilities set. Probably the best way to solve this is just comment out one inherited role one after one. They have LDAP authentication and authorization with configured both conf files in apps and directly with gui. I switched this to pure conf files in one app.

One app which could help you is https://splunkbase.splunk.com/app/4111. I just take some queries from it and modified those to get better understanding what they have defined.

r. Ismo

PickleRick · ‎10-12-2022

Thanks for the hint! As far as I remember, this customer has single role per user but I'll see if other users with this role are visible (so far I focused on this single user).

I'll check it later and report the findings 🙂

PickleRick · ‎10-13-2022

It seems that indeed there are some roles that - when assigned make the user "disappear".

Will have to dig in which role settings do that.

A user seems to not exist, has anyone encountered such a thing?

authentication

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!