Security

Scripted SSO auth errors on indexer cluster

krisreeves
Path Finder

We have a clustered setup with server types including an indexer cluster, a search head cluster, and a separate cluster master.

We've implemented SSO with an auth script, but still receive messages from our indexers in splunkd.log to the effect of: ERROR AuthenticationManagerScripted - Script function getUserInfo failed for user: nobody. How can I get rid of this? Is this an indication of failed functionality when searches are executed by the (internal) nobody user?

We also see these for bot users, which are local Splunk accounts in the search head cluster. Do I need to ensure these users exist on the indexer cluster as well?

0 Karma

p_gurav
Champion
0 Karma

krisreeves
Path Finder

The script works fine, but fails for the user "nobody", since that is not a SSO user. It's a special Splunk user / the lack of a user. The docs state that the search heads send the authorization information to the peers at search time, so I'm not expecting this script to be run on search peers at all.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...