Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ERROR UserManagerPro - user="system" had no roles

sylim_splunk
Splunk Employee
Splunk Employee
‎03-30-2018 10:48 AM

After 7.0.2 upgrade from 6.6.4 I'm seeing thousands of these errors in our search cluster and after looking at this for several hours, I cannot determine the source/cause of the ERROR. Using SAML authentication.

03-28-2018 23:36:14.446 +0000 ERROR UserManagerPro - user="system" had no roles

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎03-30-2018 10:54 AM

This is a known issue, currently we are working to address it. In the meantime you can suppress it by creating a user, "system".

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/ConfigureuserswiththeCLI

If it is still the same then you may need to log a support case. Make sure to provide the below;
- Splunk Deployment architecture.
- Enable DEBUG and have it run for a few mins - depends on the frequency of the log messages.
$ ./splunk set log-level UiSAML -level DEBUG
$ ./splunk set log-level Saml -level DEBUG
$ ./splunk set log-level AuthenticationManagerSAML -level DEBUG
$ ./splunk set log-level AttrQueryRequestJob -level DEBUG

Or if you can, try to disable apps one by one and see which app is causing this error and go from there.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎03-30-2018 10:54 AM

This is a known issue, currently we are working to address it. In the meantime you can suppress it by creating a user, "system".

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/ConfigureuserswiththeCLI

If it is still the same then you may need to log a support case. Make sure to provide the below;
- Splunk Deployment architecture.
- Enable DEBUG and have it run for a few mins - depends on the frequency of the log messages.
$ ./splunk set log-level UiSAML -level DEBUG
$ ./splunk set log-level Saml -level DEBUG
$ ./splunk set log-level AuthenticationManagerSAML -level DEBUG
$ ./splunk set log-level AttrQueryRequestJob -level DEBUG

Or if you can, try to disable apps one by one and see which app is causing this error and go from there.

0 Karma
Reply
Solved! Jump to solution

ischoenmaker
Explorer
‎09-26-2018 08:59 AM

For everyone who (like me) is wondering if and in which release this was fixed:
This was registered as issue SPL-154405/SPL-147319: SHC AuthenticationManagerLDAP complains "Could not find user="system"" flooding splunkd.log
Resolved in Splunk 7.0.5
http://docs.splunk.com/Documentation/Splunk/7.0.5/ReleaseNotes/Fixedissues

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎03-30-2018 10:54 AM

Hey@sylim,

Check the following:
There might be some deprecated parameters in authentication.conf file.
Check this kind of errors in splunkd.log:
"WARN SSLOptions - authentication.conf/[saml]/sslKeysfilePassword: deprecated; use 'sslPassword' instead
WARN SSLOptions - authentication.conf/[saml]/sslKeysfile: deprecated; use 'clientCert' instead"
And apply these changes.

Let me know if this helps!!

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...