2016-10-19 12:42 PM
OnCommand 9.0, trying to join an NFS SVM to the RedHat 7.2 IDM Domain and it's failing saying the SPN already exists, which it absolutely doesn't. Just brought up this IDM domain so nothing is joined to it yet.
I've tried renaming the SVM and joining it with a new name, still get the same SPN already exists failure. We can't do autoFS of user home directories without it joined to the domain supposedly. Any ideas? Thanks!
la-6pna01::vserver nfs> kerberos-config modify -vserver la-6pnasvmnfs03 -lif la-6pnasvmnfs02_nfs_lif1 -kerberos enabled -spn nfs/la-6pnasvmnfs03.internal-idm.domain.com@INTERNAL-IDM.DOMAIN.COM -admin-username mdadmin
Error: NFS Kerberos bind SPN procedure failed
[ 0 ms] Creating account in Unix KDC
[ 43] Successfully connected to ip 10.85.128.8, port 749 using
**[ 52] FAILURE: Unexpected state: Error 1142 at
** func:createVifKrbAccountUsingKadmin line:219
**[ 52] FAILURE: spn already exists. Failed to reuse spn
** NAL-IDM.DOMAIN.COM' using admin spn
** 'mdadmin@INTERNAL-IDM.DOMAIN.COM', error: Unknown
** code 0
[ 53] Uncaptured failure while creating account
Error: command failed: Failed to enable NFS Kerberos on LIF
"la-6pnasvmnfs02_nfs_lif1". Failed to bind service principal name on LIF
"la-6pnasvmnfs02_nfs_lif1". cifs smb kadmin error.
2 weeks ago - last edited 2 weeks ago
I have exactly the same symptoms - looking at the logs in the KDC server I can see that my admin user (i.e. the user I am using to create the principle and retrieve the keytab) is problematic
Unauthorized request: kadm5_get_principal, nfs/blah@REALM, client=myadminuser@REALM, service=kadmin/admin@REALM
The issue appears to relate to the privs that a normal user vs an admin user has.
I think the best option if possible is to create the principal and keytab file using ipa commands on a linux box and to temporarily put it on a webserver.
Alternatively you may be able to configure IPA to add the relevant privs to your account so it can do that with password auth.