Scripted SSO auth errors on indexer cluster

krisreeves · ‎05-17-2018

We have a clustered setup with server types including an indexer cluster, a search head cluster, and a separate cluster master.

We've implemented SSO with an auth script, but still receive messages from our indexers in splunkd.log to the effect of: ERROR AuthenticationManagerScripted - Script function getUserInfo failed for user: nobody. How can I get rid of this? Is this an indication of failed functionality when searches are executed by the (internal) nobody user?

We also see these for bot users, which are local Splunk accounts in the search head cluster. Do I need to ensure these users exist on the indexer cluster as well?

p_gurav · ‎05-17-2018

Can you test this script:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Security/Createtheauthenticationscript#Test_the_sc...

krisreeves · ‎05-18-2018

The script works fine, but fails for the user "nobody", since that is not a SSO user. It's a special Splunk user / the lack of a user. The docs state that the search heads send the authorization information to the peers at search time, so I'm not expecting this script to be run on search peers at all.

Scripted SSO auth errors on indexer cluster

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!