Splunk Search

Users still showing after being deleted

wpb162
Explorer

I am trying to delete users that just use Splunk authentication. I have the admin role. I have tried both the web GUI and the CLI to delete users, but they are still visible after deletion. But something seems to have happened, because, even though the users are still showing up using the list command in the CLI, when I try to delete the user using the remove command, it says the user does not exist.

Is there a config file I need to edit to get the users to stop appearing? This is also a clustered Splunk Enterprise environment, does this mean there are further steps I have to take to delete a user?

Thanks

Labels (1)
0 Karma
1 Solution

wpb162
Explorer

I believe I simply needed to restart each instance after I deleted the users on it.

View solution in original post

0 Karma

fahimeh
Explorer

I have the same problem as you
how did you solve it

0 Karma

wpb162
Explorer

I believe I simply needed to restart each instance after I deleted the users on it.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

What are you using for authentication? If you are using external authentication source (like LDAP or SAML) your users will get re-created as soon as they authenticate using that source.

0 Karma

wpb162
Explorer

Just using the local Splunk authentication (username and password), nothing external.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Another thing that comes to mind - local file permissions? (splunk process unable to alter the passwd file)

0 Karma

wpb162
Explorer

Permissions seem to be fine, and the deleted users do not show up in the passwd file. 

However, the users still show up in the GUI and when I run 

list user
0 Karma

KendallW
Contributor

Hi @wpb162 
It could be that the removal of the users has not propagated to all members of the SHC yet. How many members are in your SHC? How long did you leave it after running the "splunk remove user" command?

0 Karma

wpb162
Explorer

3 members in the cluster, has not updated since I made the change yesterday, even on the instance I made the change on.

0 Karma

deepakc
Builder

Removing users is a standard splunk admin task, so this is odd!.

If you look at your config, what does this state? 

If you run the btool command and check your authentication config? 

 

/opt/splunk/bin/splunk cmd btool authentication list --debug 

 

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...