Subscribe

How to modify Kerberos interface SPN

IHAC is testing on cDOT831P1 NFSV4+Kerberos(MIT)

 

I met a question when want to change the LIF SPN, the test scenario is as below:

 

1. The LIFs have enabled Kerberos, and have their SPN. Now want to change to another SPN

nyn001c1::*> vserver nfs kerberos inter show

               Logical

Vserver        Interface     Address         Kerberos SPN

-------------- ------------- --------------- -------- -----------------------

nyn001f1       nyn001f1_data1

                             172.31.120.75   enabled  nfs/nyn001f1.xx.com@is1.abc

nyn001f1       nyn001f1_data2

                             172.31.120.76   enabled  nfs/nyn001f2.xx.com@is1.abc

 

 

2. nfs Kerberos modify, error indicates that must disable Kerberos first;

nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos enabled -spn nfs/nyn001f3.xx.com@is1.abc -keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f3.keytab

Error: command failed: Kerberos is already enabled on this LIF                            -> should disable Kerberos interface first

 

3. Disable Kerberos interface

nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled

Username:                                                                                                     -> admin-username and passwd are needed, but there is no username and passwd because keytab-file is used

Error: command failed: The "admin-user-name" parameter is empty. Please specify a value for "keytab-uri", or for "admin-user-name" and "admin-password".


nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled -
    -spn            -admin-username -keytab-uri     -ou
    -force

nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled -keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f2.keytab

Error: command failed: Cannot specify service principal name or Keytab URL while disabling Kerberos.

nyn001c1::*>

 

 

So how can I disable Kerberos interface and modify the LIF SPN?

Re: How to modify Kerberos interface SPN

Try disabling using -force.

 

::> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled -force

 

Then run "enable" with the new keytab/SPN.

 

 

Re: How to modify Kerberos interface SPN

Hi Parisi,

 

Tried disable with force, but still need the admin-username and password. Did that works in your test?

Re: How to modify Kerberos interface SPN

Not able to test, as my lab is in shambles. Smiley Happy

 

Try this?

 

nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos enabled -keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f2.keytab

Re: How to modify Kerberos interface SPN

Thanks Parisi,

 

What does this command mean. Try to modify what?

 

The keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f2.keytab is now belong to LIF nyn001f1_data2

 

 

And if I disabe it with the keytab-uri , the error is as bellowSmiley Sadcannot specify SPN or Keytab-file)

nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled -keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f2.keytab

Error: command failed: Cannot specify service principal name or Keytab URL while disabling Kerberos.

nyn001c1::*>

Re: How to modify Kerberos interface SPN

[ Edited ]

I simply changed your command to use "-kerberos enabled"

 

That allows the command to modify the SPN rather than trying to disable it *and* modify the SPN at the same time.

 

Run the 2nd command like this:

nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled

 

It doesn't like when you specify the URI with the disable.

 

 For admin/password, perhaps try the cluster admin/password

Re: How to modify Kerberos interface SPN

 

Yes Parisi,

I found a burt #803175 is describe it, and I tried the force option with any username and passwd(abc123 or anything else). And it works out that I can disable the kerberos, but a little weird with this configuration way.

 

nyn001c1::vserver nfs kerberos interface*> modify -vserver nyn001f1 -lif nyn001f1_data1 -kerberos disabled -force true
Username: 1234
Password:
Warning: Kerberos configuration for LIF "nyn001f1_data1" in Vserver "nyn001f1" will be deleted. An attempt will be made to delete the
corresponding account on the KDC. If
you see warnings or errors, contact your KDC administrator to verify the status of the KDC account and delete it, if necessary. Do you want to
continue?
{y|n}: y
Could not delete account on KDC when disabling Kerberos in LIF "nyn001f1_data1" in Vserver "nyn001f1". Reason: Failed to delete the account
associated with the Kerberos
service principal name. Reason: cifs smb kadmin error.
Disabled Kerberos on LIF "nyn001f1_data1" with service principal name "nfs/nyn001f1.ms.com@is1.morgan" in Vserver "nyn001f1".
nyn001c1::vserver nfs kerberos interface*> show
Logical
Vserver Interface Address Kerberos SPN
-------------- ------------- --------------- -------- -----------------------
nyn001f1 nyn001f1_data1 172.31.120.75 disabled -
......

Re: How to modify Kerberos interface SPN

How is your realm defined (vserver nfs kerberos realm show)?

Re: How to modify Kerberos interface SPN


nyn001c1::> vserver nfs kerberos realm show
         Kerberos                 Active Directory KDC        KDC
Vserver  Realm                    Server           Vendor     IP Address
-------- ------------------------ ---------------- ---------- -----------------
nyn001f1
         is1.abc               -                Other      x.x.x.x

nyn001c1::>
nyn001c1::>
nyn001c1::> vserver nfs kerberos realm show -instance

                           Vserver: nyn001f1
                    Kerberos Realm: is1.abc
                        KDC Vendor: Other
                    KDC IP Address: x.x.x.x
                          KDC Port: 88
                        Clock Skew: 300
      Active Directory Server Name: -
Active Directory Server IP Address: -
                           Comment: -
           Admin Server IP Address: a.a.a.a
                 Admin Server Port: 749
        Password Server IP Address: a.a.a.a
              Password Server Port: 464
        Permitted Encryption Types: aes-256, aes-128, des3, des

nyn001c1::>