Re: Splunk installed failed to create splunk accou...

ryu8450 · ‎07-10-2014

Dear experts,
I installed splunk on the rhel servers.
Majority of the time it works fine.
But for this one server, when I tried to change ownership of a directory,
chown -R splunk:splunk ./***deploymentclient/

it says

chown: invalid user: `splunk:splunk'

Can someone please tell me why the splunk install failed to create a splunk account on the machine?

And how do I resolve this? is it a simple useradd, etc?

Thanks,

jonathan_dye · ‎06-03-2016

We're seeing similar problems.

In splunkforwarder rpm PREIN scriplet they create a splunk group and a unix account. To do so they use /usr/sbin/groupadd and
/usr/sbin/useradd. But splunkforwarder rpm doesn't list these utilities (or rpm which provide them) in dependencies. As a result of the missing dependency splunkforwarder is installed before shadow-utils rpm (which on RHEL provides useradd and groupadd) during RHEL7 installation (when we install RHEL7.2 OS and applications rpms at the same time) and splunk account cannot be created.

These are error messages from anaconda packaging.log:

10:21:36,425 INFO packaging: splunkforwarder-6.4.0-f2c836328108.x86_64 (344/643)
10:21:36,425 INFO packaging: warning: splunkforwarder-6.4.0-f2c836328108.x86_64: Header V4 DSA/SHA1 Signature, key ID 653fb112: NO KEY
10:21:36,425 INFO packaging: /var/tmp/rpm-tmp.Eoswvi: line 30: /usr/sbin/groupadd: No such file or directory
10:21:36,425 INFO packaging: /var/tmp/rpm-tmp.Eoswvi: line 35: /usr/sbin/useradd: No such file or directory
10:21:36,425 INFO packaging: warning: user splunk does not exist - using root
10:21:36,426 INFO packaging: warning: group splunk does not exist - using root
10:21:36,426 INFO packaging: warning: user splunk does not exist - using root
10:21:36,426 INFO packaging: warning: group splunk does not exist - using root

grijhwani · ‎07-14-2014

You asked the question. Are you checking back for the answer?

grijhwani · ‎07-10-2014

If it wasn't just a simple typo in the original chown, this sounds more like an RHEL sysadmin problem than a Splunk problem. Picking an answer out of the air probably isn't going to help you. Confirm that this genuinely is the problem with the following:

$ id splunk

It should return something along the lines of

uid=200(splunk) gid=200(splunk) groups=200(splunk)

If it does not, then the user is genuinely missing. This still raises the question of why. It seems bizarre that the RPM should install (you did install the RPM, right, not the tarball version?) ... seems odd that the RPM should install completely and yet still fail to have created the user and/or group correctly. Primarily, if they don't exist, then which user/group owns Splunk? I'd be worried. You probably have a bigger problem.

Yes, you could try to perform a groupadd and useradd commands (in that order), but I would remain worried about the underlying cause.

Update:

Here's a thought - you're not running something like Puppet which would revert the password file?

grijhwani · ‎07-20-2014

That suggests to me that there is some fundamental underlying problem on those servers where the user creation failed, although I'm surprised the installation did not bork at that point. Alternatively the install was not performed with the necessary priveleges.

Can you guarantee that if you performed each and every installation from a sudo command line? What happens if you attempt to create the group with groupadd and the user with useradd?

ryu8450 · ‎07-18-2014

We installed the forwarder on many linux servers and usually it would create a Splunk user, however, there are cases where the Splunk user did not get created as I tried to change one of the directories permission to be owned by Splunk.

And yes I did install the RPM, not the tarball version.

Splunk installed failed to create splunk account on RHEL

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases