Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ERROR UserManagerPro - user="system" had no roles

sylim_splunk
Splunk Employee
Splunk Employee
‎03-30-2018 10:48 AM

After 7.0.2 upgrade from 6.6.4 I'm seeing thousands of these errors in our search cluster and after looking at this for several hours, I cannot determine the source/cause of the ERROR. Using SAML authentication.

03-28-2018 23:36:14.446 +0000 ERROR UserManagerPro - user="system" had no roles

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎03-30-2018 10:54 AM

This is a known issue, currently we are working to address it. In the meantime you can suppress it by creating a user, "system".

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/ConfigureuserswiththeCLI

If it is still the same then you may need to log a support case. Make sure to provide the below;
- Splunk Deployment architecture.
- Enable DEBUG and have it run for a few mins - depends on the frequency of the log messages.
$ ./splunk set log-level UiSAML -level DEBUG
$ ./splunk set log-level Saml -level DEBUG
$ ./splunk set log-level AuthenticationManagerSAML -level DEBUG
$ ./splunk set log-level AttrQueryRequestJob -level DEBUG

Or if you can, try to disable apps one by one and see which app is causing this error and go from there.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎03-30-2018 10:54 AM

This is a known issue, currently we are working to address it. In the meantime you can suppress it by creating a user, "system".

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/ConfigureuserswiththeCLI

If it is still the same then you may need to log a support case. Make sure to provide the below;
- Splunk Deployment architecture.
- Enable DEBUG and have it run for a few mins - depends on the frequency of the log messages.
$ ./splunk set log-level UiSAML -level DEBUG
$ ./splunk set log-level Saml -level DEBUG
$ ./splunk set log-level AuthenticationManagerSAML -level DEBUG
$ ./splunk set log-level AttrQueryRequestJob -level DEBUG

Or if you can, try to disable apps one by one and see which app is causing this error and go from there.

0 Karma
Reply
Solved! Jump to solution

ischoenmaker
Explorer
‎09-26-2018 08:59 AM

For everyone who (like me) is wondering if and in which release this was fixed:
This was registered as issue SPL-154405/SPL-147319: SHC AuthenticationManagerLDAP complains "Could not find user="system"" flooding splunkd.log
Resolved in Splunk 7.0.5
http://docs.splunk.com/Documentation/Splunk/7.0.5/ReleaseNotes/Fixedissues

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎03-30-2018 10:54 AM

Hey@sylim,

Check the following:
There might be some deprecated parameters in authentication.conf file.
Check this kind of errors in splunkd.log:
"WARN SSLOptions - authentication.conf/[saml]/sslKeysfilePassword: deprecated; use 'sslPassword' instead
WARN SSLOptions - authentication.conf/[saml]/sslKeysfile: deprecated; use 'clientCert' instead"
And apply these changes.

Let me know if this helps!!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...