Security

how to fix "Could not get roles for user that does not exist"

extquebec
New Member

hello
I am currently configuring SPLUNK with LDAP / AD .
Splunk server is installed on a centos 7 . Splunk version 7.1
splunk web must be use by users in GROUP1 only
GROUP1 is mapped with admin role
minos is existing only in AD , not in Splunk web ...
When user minos is not a member of GROUP1 it is not listed and does not appear in the log.
As soon as minos has beed added in GROUP1, then it is in the log file .
"Found matching group="GROUP1" with mapped roles" . It seems to be working as expected
But

1) I have the following error message "Could not get roles for user that does not exist: minos" .

What am I doing wrong ? What is missing and where ?
Any suggestion ? of course I looked around in the forum ... but nothing obvious
2) There is also a user which is not existing in LDAP. And I am wondering where it does come from
before, I removed any reference in the local.meta file
user="nobody" was not cached
....
Could not find user="nobody" with strategy="advm"
Thanks

Extract of the log splunk log file

[...]
4-09-2020 15:03:45.002 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Initializing with LDAPURL="ldap://:389"
04-09-2020 15:03:45.002 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Attempting bind as DN="cn=administrador,cn=users,dc=XXX,dc=com"
04-09-2020 15:03:45.004 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Bind successful
04-09-2020 15:03:45.004 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Attempting to search subtree at DN="cn=users,dc=XXXX,dc=com" using filter="(&(samaccountname=minos)(memberof=CN=GROUP1,CN=Builtin,DC=XXXX,DC=com)(displayname=*))"
04-09-2020 15:03:45.007 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Search duration="3.220 milliseconds"
04-09-2020 15:03:45.007 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Loading entry attributes for DN="CN=minos,CN=Users,DC=XXX,DC=com"
04-09-2020 15:03:45.007 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Adding attribute="displayName" with value="minos"
04-09-2020 15:03:45.007 +0000 DEBUG AuthenticationManagerLDAP - Attempting to get roles for user="minos" with DN="CN=minos,CN=Users,DC=XXXX,DC=com" in strategy="advm"
04-09-2020 15:03:45.007 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Attempting to search subtree at DN="cn=builtin,dc=XXXX,dc=com" using filter="(&(member=CN=minos,CN=Users,DC=XXXX,DC=com)(cn=*))"
04-09-2020 15:03:45.009 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Search duration="1382 microseconds"
04-09-2020 15:03:45.009 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Loading entry attributes for DN="CN=GROUP1,CN=Builtin,DC=XXX,DC=com"
04-09-2020 15:03:45.009 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Adding attribute="cn" with value="GROUP1"
04-09-2020 15:03:45.009 +0000 DEBUG AuthenticationManagerLDAP - Mapping groups for user="minos" for group DN="CN=GROUP1,CN=Builtin,DC=XXX,DC=com"
04-09-2020 15:03:45.009 +0000 DEBUG AuthenticationManagerLDAP - "Found matching group="GROUP1" with mapped roles"
04-09-2020 15:03:45.009 +0000 DEBUG AuthenticationManagerLDAP - Successfully filled info for user="minos" with realname="minos" and email="" in strategy="advm"
04-09-2020 15:03:45.009 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Successfully performed unbind
04-09-2020 15:03:45.009 +0000 DEBUG AuthenticationManagerLDAP - Caching user="minos" with DN="CN=minos,CN=Users,DC=XXXX,DC=com"
04-09-2020 15:03:45.009 +0000 ERROR AuthenticationManagerSplunk - Could not get roles for user that does not exist: minos
04-09-2020 15:03:45.011 +0000 INFO  UserManagerPro - Login failed for user="minos", elapsed time=0.001 seconds
[...]

here is my authenification.conf file

[advm]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = cn=administrador,cn=users,dc=XXX,dc=com
bindDNpassword = 
charset = utf8
emailAttribute = mail
groupBaseDN = cn=builtin,dc=XXX,dc=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = 
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = cn=users,dc=XXXX,dc=com
userBaseFilter = (memberof=CN=GROUP1,CN=Builtin,DC=XXX,,DC=com)
userNameAttribute = samaccountname

[authentication]
authSettings = advm
authType = LDAP

[roleMap_advm]
admin = GROUP1
Tags (1)
0 Karma

extquebec
New Member

Thank DalJeanis

For the first issue. The users from AD are listed in splunkweb and are mapped to the role admin as expected

But still cannot log-in with one of those users

So I do not get why the user is not found ! Are those users supposed to be defined somewhere else ?

Any idea

0 Karma

extquebec
New Member

Thanks for your answer DalJeanis

For my first issue : I can see in splunkweb all the users defined in LDAP linked to GROUP1 and mapped to the roles I defined in the authentification.conf file.

Tried a lot of things but still get this error when trying to log-in with one of the user listed in splunkweb

Am I looking in the wrong direction ... ?

0 Karma

DalJeanis
Legend

FYI - user "nobody" is what happens when a knowledge object (a search or dash) belonged to a user who has been deleted from the system.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...