I had to recover a password for Splunk and deleted the passwd file and then restarted Splunk but no new passwd file is generated. I thought Splunk auto-generated this file when this happens? I am looking in /opt/splunk/etc, and permissions/space... it lookas fine. Splunk is running.
If you are running Splunk 7.1 the old
delete $SPLUNK_HOME/etc/passwd trick does not work anymore. Read the docs http://docs.splunk.com/Documentation/Splunk/7.1.2/Security/Secureyouradminaccount#Reset_a_lost_passw... about how to reset a lost password in Splunk 7.1
Hope this helps ...
Yup. 7.1 introduced a stricter password policy feature and so that ol' hack that we used to love got blocked as a means to strengthen security.
Hmm. Yea, if you delete the $SPLUNK_HOME/etc/passwd file on that version then restart it should regenerate for you (if my memory is right).
I say do it again just in case there's human error that we didn't notice.