Solved: Re: User accounts

marg224 · ‎02-10-2014

I've tried to research this issue on my own, but, to no avail and I'm I'm at my wits end.

Every so often, all my user accounts, with the exception of Admin, disappear. I'm admin and I am not deleting them. Most of the users have power user role, or, just plain user.

If anyone has any ideas I'd appreciate it greatly.

Thanks in advance.

M

bosburn_splunk · ‎02-10-2014

I'm assuming you have an enterprise license.

That being said, make sure that the $SPLUNK_HOME/etc/passwd is readable by the user running Splunk.

View solution in original post

marg224 · ‎09-04-2014

Found the answer myself...seems someone else was resetting the admin password, BUT not saving off the users files, so, that when the new admin password was used, there were no user accounts. Solved by copying the .ini file, and, restoring it when the admin password was reset. Did not find this solution listed anywhere or in the documents. It would have been nice to know. Anyway, such as it is, it's no longer a mystery and thanks to all who offered up answers!

walker_liu · ‎10-18-2017

Hi, could I know the exactly filename you copy and restore? Because I only saw user.ini but it's empty before/after I reset admin password.

bosburn_splunk · ‎02-10-2014

I'm assuming you have an enterprise license.

That being said, make sure that the $SPLUNK_HOME/etc/passwd is readable by the user running Splunk.

marg224 · ‎02-10-2014

bosburn_splunk; thanks. I checked and yes, $Splunk_HOME/etc/passwd is readable by the user running Splunk (root) on our Enterprize install. Anything else you can suggest? Thanks so much.

marg224 · ‎02-10-2014

Thanks somesoni2 - I ran the query you suggested to no avail. Any other suggestions?

Thanks to all in advance.

M.

somesoni2 · ‎02-10-2014

Try running this query which provides list of deleted users, along with who deleted it. See if it helps in your investigation.

index=_internal sourcetype=splunkd_access uri_path="*authentication/users*"
method="DELETE" | rename file as user_deleted user as deleted_by, _time as time_deleted | table user_deleted, time_deleted, deleted_by

somesoni2 · ‎02-10-2014

Hope you're running with proper timeframe selected. Also, check the content of following file. splunk/etc/passwd. This file contains all the user information. Check if there is any program/script deleting this file.

marg224 · ‎02-10-2014

Thanks somesoni2 - I ran the query you suggested to no avail. Any other suggestions?Thanks to all in advance.M.

marg224 · ‎02-10-2014

I'm using Splunk 5.05.

Not using LDAP.

Solaris 10 OS.

I'm the only one with admin access, all other users have power.

I'm the only one with root access.

Thanks!

bosburn_splunk · ‎02-10-2014

Can you provide a little more information? Are you using LDAP or the Splunk authentication? What Version of Splunk? What OS?

User accounts

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!