How to modify Kerberos interface SPN

Try disabling using -force.

::> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled -force

Then run "enable" with the new keytab/SPN.

Hi Parisi,

Tried disable with force, but still need the admin-username and password. Did that works in your test?

Not able to test, as my lab is in shambles.

Try this?

nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos enabled -keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f2.keytab

Thanks Parisi,

What does this command mean. Try to modify what?

The keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f2.keytab is now belong to LIF nyn001f1_data2

And if I disabe it with the keytab-uri , the error is as bellowcannot specify SPN or Keytab-file)

nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled -keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f2.keytab

Error: command failed: Cannot specify service principal name or Keytab URL while disabling Kerberos.

nyn001c1::*>

I simply changed your command to use "-kerberos enabled"

That allows the command to modify the SPN rather than trying to disable it *and* modify the SPN at the same time.

Run the 2nd command like this:

nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled

It doesn't like when you specify the URI with the disable.

 For admin/password, perhaps try the cluster admin/password

Yes Parisi,

I found a burt #803175 is describe it, and I tried the force option with any username and passwd(abc123 or anything else). And it works out that I can disable the kerberos, but a little weird with this configuration way.

nyn001c1::vserver nfs kerberos interface*> modify -vserver nyn001f1 -lif nyn001f1_data1 -kerberos disabled -force true
Username: 1234
Password:
Warning: Kerberos configuration for LIF "nyn001f1_data1" in Vserver "nyn001f1" will be deleted. An attempt will be made to delete the
corresponding account on the KDC. If
you see warnings or errors, contact your KDC administrator to verify the status of the KDC account and delete it, if necessary. Do you want to
continue?
{y|n}: y
Could not delete account on KDC when disabling Kerberos in LIF "nyn001f1_data1" in Vserver "nyn001f1". Reason: Failed to delete the account
associated with the Kerberos
service principal name. Reason: cifs smb kadmin error.
Disabled Kerberos on LIF "nyn001f1_data1" with service principal name "nfs/nyn001f1.ms.com@is1.morgan" in Vserver "nyn001f1".
nyn001c1::vserver nfs kerberos interface*> show
Logical
Vserver Interface Address Kerberos SPN
-------------- ------------- --------------- -------- -----------------------
nyn001f1 nyn001f1_data1 172.31.120.75 disabled -
......

How is your realm defined (vserver nfs kerberos realm show)?

nyn001c1::> vserver nfs kerberos realm show
         Kerberos                 Active Directory KDC        KDC
Vserver  Realm                    Server           Vendor     IP Address
-------- ------------------------ ---------------- ---------- -----------------
nyn001f1
         is1.abc               -                Other      x.x.x.x

nyn001c1::>
nyn001c1::>
nyn001c1::> vserver nfs kerberos realm show -instance

                           Vserver: nyn001f1
                    Kerberos Realm: is1.abc
                        KDC Vendor: Other
                    KDC IP Address: x.x.x.x
                          KDC Port: 88
                        Clock Skew: 300
      Active Directory Server Name: -
Active Directory Server IP Address: -
                           Comment: -
           Admin Server IP Address: a.a.a.a
                 Admin Server Port: 749
        Password Server IP Address: a.a.a.a
              Password Server Port: 464
        Permitted Encryption Types: aes-256, aes-128, des3, des

nyn001c1::>