I have been trying to configure my Splunk instance (on Windows) to be run by an MSA.
I was never able to install Splunk and configure it to MSA execution in one single step. The closest I got to this goal was using the following command:
***msiexec.exe /i splunk-7.0.3-fa31da744b51-x64-release.msi AGREETOLICENSE=Yes LOGON_USERNAME=\Splunk LOGON_PASSWORD="" LAUNCHSPLUNK=0 /lv C:\SplunkInstall.log /qb***
which resulted in the following SplunkInstall.log error:
***SetupServiceConfig: Error: ChangeServiceConfig failed 0x421
SetupServiceConfig: Error: 0x80004005: Cannot setup splunkd
CustomAction SetupServiceConfig returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)***
Instead I tried to install Splunk to run as "Local System" user (since I know this works when I use the msi GUI) and then (prior to Splunk's frist launch) manually change Splunk to run as the MSA. I got further along the process this way, as I was able to successfully install Splunk using the following cmdline:
***msiexec.exe /i splunk-7.0.3-fa31da744b51-x64-release.msi AGREETOLICENSE=Yes SPLUNKPASSWORD=MyNewPassword123 LAUNCHSPLUNK=0 /lv C:\SplunkInstall.log /qb***
SplunkInstall.log reported no errors, and so I executed the steps to change the user executing Splunk (described here: ○ http://docs.splunk.com/Documentation/Splunk/5.0.3/Installation/CorrectingtheuserselectedduringWindowsinstallation
).
The issue I am now facing is neither Splunkd Service service nor splunkweb (legacy) are starting. When I attempted to start Splunk via cmdline I found the following error in $SPLUNK_HOME\var\log\splunk\splunkd-utility.log:
***ERROR UserManagerPro - The password cannot be set to the default password
ERROR AdminHandler:AuthenticationHandler - The password cannot be set to the default password.***
Side Note: $SPLUNK_HOME\etc\passwd ends in the following test
... ***::Administrator:admin:changeme@example.com::***
When I attempted to start the service from the Windows' GUI "Services", I receive the following popup error:
***Windows could not start the Splunkd Service service on Local Computer
Error 1067: The process terminated unexpectedly.***
Side note: In an attempt to fix the "Windows could not start the Splunkd Service" issue I attempted the regedit command (regedit HKLM) detailed here: https://answers.splunk.com/answers/146016/windows-could-not-start-the-splunkd-or-splunkforwarder-service-on-local-computer-cannot-find-file-specified.html
This resulted in an error popup stating the following:
***Cannot import HKLM: Error opening the file. There may be a disk or file system error.***
↧