Security

Splunk installed failed to create splunk account on RHEL

ryu8450
New Member

Dear experts,
I installed splunk on the rhel servers.
Majority of the time it works fine.
But for this one server, when I tried to change ownership of a directory,
chown -R splunk:splunk ./***deploymentclient/

it says

chown: invalid user: `splunk:splunk'

Can someone please tell me why the splunk install failed to create a splunk account on the machine?

And how do I resolve this? is it a simple useradd, etc?

Thanks,

Tags (3)
0 Karma

jonathan_dye
New Member

We're seeing similar problems.

In splunkforwarder rpm PREIN scriplet they create a splunk group and a unix account. To do so they use /usr/sbin/groupadd and
/usr/sbin/useradd. But splunkforwarder rpm doesn't list these utilities (or rpm which provide them) in dependencies. As a result of the missing dependency splunkforwarder is installed before shadow-utils rpm (which on RHEL provides useradd and groupadd) during RHEL7 installation (when we install RHEL7.2 OS and applications rpms at the same time) and splunk account cannot be created.

These are error messages from anaconda packaging.log:

10:21:36,425 INFO packaging: splunkforwarder-6.4.0-f2c836328108.x86_64 (344/643)
10:21:36,425 INFO packaging: warning: splunkforwarder-6.4.0-f2c836328108.x86_64: Header V4 DSA/SHA1 Signature, key ID 653fb112: NO KEY
10:21:36,425 INFO packaging: /var/tmp/rpm-tmp.Eoswvi: line 30: /usr/sbin/groupadd: No such file or directory
10:21:36,425 INFO packaging: /var/tmp/rpm-tmp.Eoswvi: line 35: /usr/sbin/useradd: No such file or directory
10:21:36,425 INFO packaging: warning: user splunk does not exist - using root
10:21:36,426 INFO packaging: warning: group splunk does not exist - using root
10:21:36,426 INFO packaging: warning: user splunk does not exist - using root
10:21:36,426 INFO packaging: warning: group splunk does not exist - using root
0 Karma

grijhwani
Motivator

You asked the question. Are you checking back for the answer?

0 Karma

grijhwani
Motivator

If it wasn't just a simple typo in the original chown, this sounds more like an RHEL sysadmin problem than a Splunk problem. Picking an answer out of the air probably isn't going to help you. Confirm that this genuinely is the problem with the following:

$ id splunk

It should return something along the lines of

uid=200(splunk) gid=200(splunk) groups=200(splunk)

If it does not, then the user is genuinely missing. This still raises the question of why. It seems bizarre that the RPM should install (you did install the RPM, right, not the tarball version?) ... seems odd that the RPM should install completely and yet still fail to have created the user and/or group correctly. Primarily, if they don't exist, then which user/group owns Splunk? I'd be worried. You probably have a bigger problem.

Yes, you could try to perform a groupadd and useradd commands (in that order), but I would remain worried about the underlying cause.

Update:

Here's a thought - you're not running something like Puppet which would revert the password file?

grijhwani
Motivator

That suggests to me that there is some fundamental underlying problem on those servers where the user creation failed, although I'm surprised the installation did not bork at that point. Alternatively the install was not performed with the necessary priveleges.

Can you guarantee that if you performed each and every installation from a sudo command line? What happens if you attempt to create the group with groupadd and the user with useradd?

0 Karma

ryu8450
New Member

We installed the forwarder on many linux servers and usually it would create a Splunk user, however, there are cases where the Splunk user did not get created as I tried to change one of the directories permission to be owned by Splunk.

And yes I did install the RPM, not the tarball version.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...