topic Re: CDOT and Kerberos in ONTAP Discussions

CDOT and Kerberos

Brett_Monroe — Wed, 04 Jun 2025 11:17:24 GMT

Hey all,

It seems that, when setting up a Kerberos realm in CDOT, in the case where the KDC is really Active Directory, I can not include a second(ary) Domain Controller into the realm as a potential failover. Am I mistaken or is this not really a concern?

Thanks,

--Brett

Re: CDOT and Kerberos

Mjizzini — Wed, 04 Mar 2020 04:31:10 GMT

Configuring a Kerberos Realm
A Kerberos realm is needed so that the cluster knows how to format Kerberos ticket requests. Doing so is similar to configuring /etc/krb5.conf on NFS clients.
To create a Kerberos realm, use the following example as a guide for the command to run on the SVM hosting the NFS server:

cluster::> kerberos-realm create -configname REALM -realm DOMAIN.xxxxx.COM -kdc-vendor Microsoft -kdc-ip x.x.x.x -kdc-port 88 -clock-skew 5 -adminserver-ip x.x.x.x -adminserver-port 749 -passwordserver-ip x.x.x.x -passwordserver-port 464 -adserver-name WIN2K8-DC -adserver- ip x.x.x.x

Note: The IP addresses specified in the Kerberos-realm commands are used only during creation of the machine account object or SPN;
these IP addresses are not used for actual Kerberized NFS traffic. Therefore, there is no need to worry about failover or DNS aliases for these commands.
KDC failover for Kerberized traffic is handled using DNS SRV records. For more information, see the section “Domain Controller Redundancy and Replication.”

Referencing tr-4073 " Secure Unified Authentication"

https://www.netapp.com/us/media/tr-4073.pdf

Re: CDOT and Kerberos

Brett_Monroe — Wed, 04 Mar 2020 15:55:55 GMT

Uhh, thanks, Mjizzini, but I already have a working Kerberos config. I'm asking about the possibility of configuring in a "secondary" KDC server in an Active Directory environment (since they would effectively be the same trust "zone").