Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ERROR UserManagerPro - user="system" had no roles

sylim_splunk
Splunk Employee
Splunk Employee
‎03-30-2018 10:48 AM

After 7.0.2 upgrade from 6.6.4 I'm seeing thousands of these errors in our search cluster and after looking at this for several hours, I cannot determine the source/cause of the ERROR. Using SAML authentication.

03-28-2018 23:36:14.446 +0000 ERROR UserManagerPro - user="system" had no roles

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎03-30-2018 10:54 AM

This is a known issue, currently we are working to address it. In the meantime you can suppress it by creating a user, "system".

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/ConfigureuserswiththeCLI

If it is still the same then you may need to log a support case. Make sure to provide the below;
- Splunk Deployment architecture.
- Enable DEBUG and have it run for a few mins - depends on the frequency of the log messages.
$ ./splunk set log-level UiSAML -level DEBUG
$ ./splunk set log-level Saml -level DEBUG
$ ./splunk set log-level AuthenticationManagerSAML -level DEBUG
$ ./splunk set log-level AttrQueryRequestJob -level DEBUG

Or if you can, try to disable apps one by one and see which app is causing this error and go from there.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎03-30-2018 10:54 AM

This is a known issue, currently we are working to address it. In the meantime you can suppress it by creating a user, "system".

https://docs.splunk.com/Documentation/Splunk/7.0.2/Security/ConfigureuserswiththeCLI

If it is still the same then you may need to log a support case. Make sure to provide the below;
- Splunk Deployment architecture.
- Enable DEBUG and have it run for a few mins - depends on the frequency of the log messages.
$ ./splunk set log-level UiSAML -level DEBUG
$ ./splunk set log-level Saml -level DEBUG
$ ./splunk set log-level AuthenticationManagerSAML -level DEBUG
$ ./splunk set log-level AttrQueryRequestJob -level DEBUG

Or if you can, try to disable apps one by one and see which app is causing this error and go from there.

0 Karma
Reply
Solved! Jump to solution

ischoenmaker
Explorer
‎09-26-2018 08:59 AM

For everyone who (like me) is wondering if and in which release this was fixed:
This was registered as issue SPL-154405/SPL-147319: SHC AuthenticationManagerLDAP complains "Could not find user="system"" flooding splunkd.log
Resolved in Splunk 7.0.5
http://docs.splunk.com/Documentation/Splunk/7.0.5/ReleaseNotes/Fixedissues

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎03-30-2018 10:54 AM

Hey@sylim,

Check the following:
There might be some deprecated parameters in authentication.conf file.
Check this kind of errors in splunkd.log:
"WARN SSLOptions - authentication.conf/[saml]/sslKeysfilePassword: deprecated; use 'sslPassword' instead
WARN SSLOptions - authentication.conf/[saml]/sslKeysfile: deprecated; use 'clientCert' instead"
And apply these changes.

Let me know if this helps!!

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...