topic Re: cannot update kerberos keytab (Ontap 9.11) in ONTAP Discussions

cannot update kerberos keytab (Ontap 9.11)

yongbin — Tue, 20 Jan 2026 10:30:57 GMT

I accidentally update my nfs service kerberos keytab in a different machine with `ipa-getkeytab` command. After that nfs clients disconnected from the storage one by one. (after credentials are expired I guess).

So I need to update kerberos keytab and register it to Ontap.

I ran a command.

vserver nfs kerberos interface enable -lif stor01 -vserver vs1 -keytab-uri http://url-to/kerberos.keytab

Then I got this result.

Error: command failed: Kerberos is already enabled on this LIF

So I try to disable it first instead.

vserver nfs kerberos interface disable -lif stor01 -vserver vs1

I typed admin username and password and 'y' to the following instruction.

Warning: This command deletes the service principal name "nfs/stor01.in.kzmdstu.com@IN.KZMDSTU.COM" from the machine account on the KDC. Do you want to continue? {y|n}:

I got this error.

Error: command failed: Failed to disable NFS Kerberos on LIF "stor01". Failed to delete the account associated with the Kerberos service principal name. Reason: Kerberos Error: Unknown error.

So I cannot enable nor disable.

How can I inspect the problem?

Re: cannot update kerberos keytab (Ontap 9.11)

yongbin — Tue, 20 Jan 2026 12:21:20 GMT

after set -previliege diagnostic

I was able to disable with vserver nfs kerberos interface disable -lif stor01 -vserver vs1 -force true

then enable it withvserver nfs kerberos interface enable ...

but still it doesn't allow nfs access.

event show log shows me this log

1/20/2026 20:46:48 netapp01 ERROR secd.nfsAuth.problem: vserver (vs1) General NFS authorization problem. Error: RPC accept GSS token procedure failed
[ 0 ms] Using the NFS service credential for logical interface 1026 (SPN='nfs/stor01') from cache.
**[ 0] FAILURE: Failed to accept the context: Unspecified GSS failure. Minor code may provide more information (minor: Decrypt integrity check failed).

Which is weird because I've just updated all nfs keytabs...

Re: cannot update kerberos keytab (Ontap 9.11)

Baefisch — Tue, 17 Feb 2026 13:48:43 GMT

get the same. Any new information here?

Not able to user Kerberos on Redhat IDM and Netapp NFS v4.

Re: cannot update kerberos keytab (Ontap 9.11)

yongbin — Thu, 19 Feb 2026 12:50:55 GMT

@Baefisch wrote:
get the same. Any new information here?
Not able to user Kerberos on Redhat IDM and Netapp NFS v4.

For me, clients are reconnected after some time (some hours) from the fix. I guess it because of cache system. But I am not sure.

One thing I noticed is macs were able to connect right away with the fix. but linux machines took some time.

Hope it helps.

Re: cannot update kerberos keytab (Ontap 9.11)

Baefisch — Mon, 09 Mar 2026 07:29:24 GMT

i was able to mount nfsV4 with kerberos. Created a Ticket on netapp an redhat.
Especcaly mr. Diddens/Netapp did a create job and recreated my problem.

Strange. Exactly did the same steps. Beside the cat /etc/krb5.conf.d/crypto-policies part. I wrote more options found in another post. But this are the steps which work. Maybe the ordering of the cryptos are important?

######## Redhat ################ ### create Keytab kinit admin ipa host-add svm-lan-nas-01-lif1.ipa.bla.blub ipa service-add nfs/svm-lan-nas-01-lif1.ipa.bla.blub ##### only sha1 IMPORTANT!!!! ipa-getkeytab -p nfs/svm-lan-nas-01-lif1.ipa.bla.blub -k ./nfs.keytab_for_ticket -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 ### copy keytab to any webserver cp nfs.keytab_for_ticket wsv103.ipa.bla.blub:/var/www #### Change Crypto Policy cat /etc/krb5.conf.d/crypto-policies [libdefaults] permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 ######## on NETAPP svm ######## ## create export policy for kerberos .... ### create Kerberos Realm ipa.bla.blub KDC = 192.168.XX.XX Port = 88 ### create LDAP Source lsv3000.ipa.bla.blub dc=ipa,dc=bla,dc=blub 389 Anonymous admin@ipa.bla.blub ## Kerberos to Unix mapping (.+)\$@.* --> root host/.*@.* --> admin (.*)@.* --> \1 ## enable LIF for Kerberos kerberos interface enable -lif svm-lan-nas-01-lif1 -vserver svm-lan-nas-01 -spn nfs/svm-lan-nas-01-lif1.ipa.bla.blub@ipa.bla.blub -keytab-uri http://wsv103.bla.blub/nfs.keytab_for_ticket ##### Volume mount mount -o sec=krb5,nfsvers=4,minorversion=1 svm-lan-nas-01-lif1.ipa.bla.blub:/wf2009_nfs_01 /mnt