Security

ERROR UserManagerPro - user="system" had no roles

sylim_splunk
Splunk Employee
Splunk Employee

After 7.0.2 upgrade from 6.6.4 I'm seeing thousands of these errors in our search cluster and after looking at this for several hours, I cannot determine the source/cause of the ERROR. Using SAML authentication.

03-28-2018 23:36:14.446 +0000 ERROR UserManagerPro - user="system" had no roles

Tags (1)
1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

This is a known issue, currently we are working to address it. In the meantime you can suppress it by creating a user, "system".

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/ConfigureuserswiththeCLI

If it is still the same then you may need to log a support case. Make sure to provide the below;
- Splunk Deployment architecture.
- Enable DEBUG and have it run for a few mins - depends on the frequency of the log messages.
$ ./splunk set log-level UiSAML -level DEBUG
$ ./splunk set log-level Saml -level DEBUG
$ ./splunk set log-level AuthenticationManagerSAML -level DEBUG
$ ./splunk set log-level AttrQueryRequestJob -level DEBUG

Or if you can, try to disable apps one by one and see which app is causing this error and go from there.

View solution in original post

0 Karma

sylim_splunk
Splunk Employee
Splunk Employee

This is a known issue, currently we are working to address it. In the meantime you can suppress it by creating a user, "system".

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/ConfigureuserswiththeCLI

If it is still the same then you may need to log a support case. Make sure to provide the below;
- Splunk Deployment architecture.
- Enable DEBUG and have it run for a few mins - depends on the frequency of the log messages.
$ ./splunk set log-level UiSAML -level DEBUG
$ ./splunk set log-level Saml -level DEBUG
$ ./splunk set log-level AuthenticationManagerSAML -level DEBUG
$ ./splunk set log-level AttrQueryRequestJob -level DEBUG

Or if you can, try to disable apps one by one and see which app is causing this error and go from there.

0 Karma

ischoenmaker
Explorer

For everyone who (like me) is wondering if and in which release this was fixed:
This was registered as issue SPL-154405/SPL-147319: SHC AuthenticationManagerLDAP complains "Could not find user="system"" flooding splunkd.log
Resolved in Splunk 7.0.5
http://docs.splunk.com/Documentation/Splunk/7.0.5/ReleaseNotes/Fixedissues

0 Karma

deepashri_123
Motivator

Hey@sylim,

Check the following:
There might be some deprecated parameters in authentication.conf file.
Check this kind of errors in splunkd.log:
"WARN SSLOptions - authentication.conf/[saml]/sslKeysfilePassword: deprecated; use 'sslPassword' instead
WARN SSLOptions - authentication.conf/[saml]/sslKeysfile: deprecated; use 'clientCert' instead"
And apply these changes.

Let me know if this helps!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...