2016-01-31 10:55 PM
IHAC is testing on cDOT831P1 NFSV4+Kerberos(MIT)
I met a question when want to change the LIF SPN, the test scenario is as below:
1. The LIFs have enabled Kerberos, and have their SPN. Now want to change to another SPN
nyn001c1::*> vserver nfs kerberos inter show
Logical
Vserver Interface Address Kerberos SPN
-------------- ------------- --------------- -------- -----------------------
nyn001f1 nyn001f1_data1
172.31.120.75 enabled nfs/nyn001f1.xx.com@is1.abc
nyn001f1 nyn001f1_data2
172.31.120.76 enabled nfs/nyn001f2.xx.com@is1.abc
2. nfs Kerberos modify, error indicates that must disable Kerberos first;
nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos enabled -spn nfs/nyn001f3.xx.com@is1.abc -keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f3.keytab
Error: command failed: Kerberos is already enabled on this LIF -> should disable Kerberos interface first
3. Disable Kerberos interface
nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled
Username: -> admin-username and passwd are needed, but there is no username and passwd because keytab-file is used
Error: command failed: The "admin-user-name" parameter is empty. Please specify a value for "keytab-uri", or for "admin-user-name" and "admin-password".
nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled -
-spn -admin-username -keytab-uri -ou
-force
nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled -keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f2.keytab
Error: command failed: Cannot specify service principal name or Keytab URL while disabling Kerberos.
nyn001c1::*>
So how can I disable Kerberos interface and modify the LIF SPN?
2016-02-01 07:12 AM
Try disabling using -force.
::> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled -force
Then run "enable" with the new keytab/SPN.
2016-02-02 06:37 AM
Not able to test, as my lab is in shambles.
Try this?
nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos enabled -keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f2.keytab
2016-02-02 07:14 AM
Thanks Parisi,
What does this command mean. Try to modify what?
The keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f2.keytab is now belong to LIF nyn001f1_data2
And if I disabe it with the keytab-uri , the error is as bellowcannot specify SPN or Keytab-file)
nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled -keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f2.keytab
Error: command failed: Cannot specify service principal name or Keytab URL while disabling Kerberos.
nyn001c1::*>
2016-02-02 07:17 AM - edited 2016-02-02 07:17 AM
I simply changed your command to use "-kerberos enabled"
That allows the command to modify the SPN rather than trying to disable it *and* modify the SPN at the same time.
Run the 2nd command like this:
nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled
It doesn't like when you specify the URI with the disable.
For admin/password, perhaps try the cluster admin/password
2016-02-03 02:12 AM
Yes Parisi,
I found a burt #803175 is describe it, and I tried the force option with any username and passwd(abc123 or anything else). And it works out that I can disable the kerberos, but a little weird with this configuration way.
nyn001c1::vserver nfs kerberos interface*> modify -vserver nyn001f1 -lif nyn001f1_data1 -kerberos disabled -force true
Username: 1234
Password:
Warning: Kerberos configuration for LIF "nyn001f1_data1" in Vserver "nyn001f1" will be deleted. An attempt will be made to delete the
corresponding account on the KDC. If
you see warnings or errors, contact your KDC administrator to verify the status of the KDC account and delete it, if necessary. Do you want to
continue?
{y|n}: y
Could not delete account on KDC when disabling Kerberos in LIF "nyn001f1_data1" in Vserver "nyn001f1". Reason: Failed to delete the account
associated with the Kerberos
service principal name. Reason: cifs smb kadmin error.
Disabled Kerberos on LIF "nyn001f1_data1" with service principal name "nfs/nyn001f1.ms.com@is1.morgan" in Vserver "nyn001f1".
nyn001c1::vserver nfs kerberos interface*> show
Logical
Vserver Interface Address Kerberos SPN
-------------- ------------- --------------- -------- -----------------------
nyn001f1 nyn001f1_data1 172.31.120.75 disabled -
......
2016-02-03 02:16 AM
How is your realm defined (vserver nfs kerberos realm show)?
2016-02-03 02:35 AM
nyn001c1::> vserver nfs kerberos realm show
Kerberos Active Directory KDC KDC
Vserver Realm Server Vendor IP Address
-------- ------------------------ ---------------- ---------- -----------------
nyn001f1
is1.abc - Other x.x.x.x
nyn001c1::>
nyn001c1::>
nyn001c1::> vserver nfs kerberos realm show -instance
Vserver: nyn001f1
Kerberos Realm: is1.abc
KDC Vendor: Other
KDC IP Address: x.x.x.x
KDC Port: 88
Clock Skew: 300
Active Directory Server Name: -
Active Directory Server IP Address: -
Comment: -
Admin Server IP Address: a.a.a.a
Admin Server Port: 749
Password Server IP Address: a.a.a.a
Password Server Port: 464
Permitted Encryption Types: aes-256, aes-128, des3, des
nyn001c1::>