Assistance/advice greatly appreciated;
I am able to login to splunk web with a Splunk Native user, but via a perl script I get an unauhorized response
Excerpt from perl script :
$post = $ua->post(
"https://prod-forwardermanagement-splunk-vip.xxxx.uk:8089/servicesNS/$app/auth/login",
Content => "username=$username&password=$password"
);
This is the response:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Unauthorized</msg>
</messages>
</response>
Thanks for response,
I am actually testing using the following:
curl -k -u splunkuser:password https://prod-forwardermanagement-splunk.xxxxx.co.uk:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search sourcetype=dp_prod"
It always returns unauthorized for the Splunk Native User (with admin role). No sessionkey is returned. If I try my Active Directory user, the results SID is returned.
Is there anything specific I need to do a Splunk Native user?
Thanks
I'm able to use that same command with a Splunk local user on my test instance, so I don't know if that's the issue. I assume you're able to login as the local user and run the search interactively, right?
Hi,
Yes, I am able to login to my splunk instance using the same credentials. I just wondered if there might be an overarching config parameter which might preclude Splunk Native users from the admin role.
Thanks
There's no restriction there but that was my next question - are you able to verify the permissions on the local user to ensure they have all the same permissions as the AD user? Also since you're passing the password in the curl command, make sure there aren't any special characters in the password that the shell might be interpreting.
As a test, any user should be able to query this REST endpoint, so that would help you eliminate password issues:
curl -k -u user:temp1234 https://localhost:8089/services/authentication/current-context
If that command fails, there's an issue with the credentials you're providing.
Hi again,
I also get an unauthorized error message returned for https://......./services/authentication/current-context.
The credentials do not contain any special characters.
I am definitely using correct user/password combination, so a little confused as the user works fine via the browser.
Please are you able to point me a splunk log file might help me understand this issue.
Thanks
You can look for AuthenticationManagerSplunk in $SPLUNK_HOME/var/log/splunk/splunkd.log or you can search "index=_internal sourcetype=splunkd component=AuthenticationManagerSplunk".
This is what those logs look like for me with an incorrect password:
04-18-2022 15:19:57.814 -0400 WARN AuthenticationManagerSplunk [315578 TcpChannelThread] - Login failed. Incorrect login for user: user
04-18-2022 15:19:57.816 -0400 WARN AuthenticationManagerSplunk [315578 TcpChannelThread] - Login: user user attempted login with incorrect password. Login attempt=1
Thanks for that,
I can see the following errors when I the restapi call: (strange , this user is a splunk native user.)
1 - ERROR UserManagerPro - LDAP Login failed, could not find a valid user="monitoruser" on any configured servers
2 - INFO AuthenticationManagerLDAP - Could not find user="monitoruser" with strategy="SplunkAdmin"
That's normal, as Splunk will try any configured LDAP servers first before trying local users. Are there any other logs for that user?
Hi @jemina,
To use the endpoints with /servicesNS/ you need to specify an app AND a user. For login, you can just use /services/auth/login but you could also try /servicesNS/$username/$app/auth/login or even /servicesNS/-/$app/auth/login.
Try those out and see if they work.