https://community.netapp.com/t5/Network-and-Storage-Protocols/No-nfs-SPN-generated/m-p/139136#M9001 <P>hi</P> <P>&nbsp;</P> <P>the host SPN is like a wildcard and should cover for all</P> <P><A href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)" target="_blank">https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)</A></P> <P><EM>The built-in SPNs that are recognized for computer accounts are:</EM></P> <P><EM>………</EM></P> <P><EM>These SPNs are recognized for computer accounts if the computer has a host SPN. Unless they are explicitly placed on objects, a host SPN can substitute for any of the above SPNs</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>if you still having an issue (i saw products that hardcoded the dype of delegation they checking for - so&nbsp;indeed not everyone&nbsp;honer this "HOST" delegation). and want to create one the right way is with the following command (in windows):</EM></P> <P><EM>setspn.exe -S NFS/QAVS2-QACL6 QAVS2-QACL6</EM></P> <P><EM>setspn.exe -S NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6</EM></P> <P>&nbsp;</P> <P><EM>to revert:</EM></P> <P><EM>setspn.exe -D NFS/QAVS2-QACL6 QAVS2-QACL6</EM></P> <P><EM>setspn.exe -D NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6</EM></P> <P>&nbsp;</P> Mon, 26 Mar 2018 12:21:39 GMT GidonMarcus 2018-03-26T12:21:39Z https://community.netapp.com/t5/Network-and-Storage-Protocols/No-nfs-SPN-generated/m-p/139128#M9000 <P>Hey netapper</P> <P>i'm configuring nfsv4 on netapp c-mode 9.1,there is a issue blocking me that is no nfs SPN generated on c-mode server after running</P> <PRE>vserver nfs kerberos interface*&gt; modify -vserver qavs2 -lif lif2 -kerberos enabled -spn nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM -admin-username administrator </PRE> <P>&nbsp;</P> <PRE>qacl6::vserver nfs kerberos interface&gt; show Logical Vserver Interface Address Kerberos SPN -------------- ------------- --------------- -------- ----------------------- qavs1 lif1 10.17.16.108 disabled - qavs2 lif2 10.17.16.109 enabled nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM 2 entries were displayed. </PRE> <P>&nbsp;</P> <P>only&nbsp;host/* SPNs returned,i believe they are created when joining c-mode to domain actually,also tried add nfs/qavs2-qacl6.qa.arkivio.com via ADSI EDIT on c-mode account get error saying&nbsp;added SPN is not unique in domain,any idea how can i make nfs/* spn comes up?</P> <P>thanks</P> <P>&nbsp;</P> <PRE>C:\&gt;setspn -L -C qavs2-qacl6 Registered ServicePrincipalNames for CN=QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivi o,DC=com: HOST/qavs2-qacl6.qa.arkivio.com HOST/QAVS2-QACL6</PRE> Wed, 04 Jun 2025 13:52:51 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/No-nfs-SPN-generated/m-p/139128#M9000 XQ10907RS 2025-06-04T13:52:51Z https://community.netapp.com/t5/Network-and-Storage-Protocols/No-nfs-SPN-generated/m-p/139136#M9001 <P>hi</P> <P>&nbsp;</P> <P>the host SPN is like a wildcard and should cover for all</P> <P><A href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)" target="_blank">https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)</A></P> <P><EM>The built-in SPNs that are recognized for computer accounts are:</EM></P> <P><EM>………</EM></P> <P><EM>These SPNs are recognized for computer accounts if the computer has a host SPN. Unless they are explicitly placed on objects, a host SPN can substitute for any of the above SPNs</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>if you still having an issue (i saw products that hardcoded the dype of delegation they checking for - so&nbsp;indeed not everyone&nbsp;honer this "HOST" delegation). and want to create one the right way is with the following command (in windows):</EM></P> <P><EM>setspn.exe -S NFS/QAVS2-QACL6 QAVS2-QACL6</EM></P> <P><EM>setspn.exe -S NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6</EM></P> <P>&nbsp;</P> <P><EM>to revert:</EM></P> <P><EM>setspn.exe -D NFS/QAVS2-QACL6 QAVS2-QACL6</EM></P> <P><EM>setspn.exe -D NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6</EM></P> <P>&nbsp;</P> Mon, 26 Mar 2018 12:21:39 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/No-nfs-SPN-generated/m-p/139136#M9001 GidonMarcus 2018-03-26T12:21:39Z https://community.netapp.com/t5/Network-and-Storage-Protocols/No-nfs-SPN-generated/m-p/139164#M9006 <P>Hi GidonMarcus, thanks for the explanation for setspn</P> <P>After struggling with c-mode SPN i found nfs/* SPN acutally created on NFS-QAVS2-QACL6 account after running</P> <PRE>vserver nfs kerberos interface*&gt; modify -vserver qavs2 -lif lif2 -kerberos enabled -spn nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM -admin-username administrator</PRE> <P>&nbsp;</P> <P>&nbsp;</P> <PRE>C:\Users\administrator.QA&gt;setspn -L -C NFS-QAVS2-QACL6 Registered ServicePrincipalNames for CN=NFS-QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivio,DC=com: nfs/qavs2-qacl6.qa.arkivio.com nfs/nfs-qavs2-qacl6.qa.arkivio.com nfs/NFS-QAVS2-QACL6 HOST/nfs-qavs2-qacl6.qa.arkivio.com HOST/NFS-QAVS2-QACL6</PRE> <P>&nbsp;</P> <P>&nbsp; <BR />nfs/* is missing on QAVS2-QACL6</P> <PRE>C:\Users\administrator.QA&gt;setspn -L -C QAVS2-QACL6 Registered ServicePrincipalNames for CN=QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivio,DC=com: HOST/qavs2-qacl6.qa.arkivio.com HOST/QAVS2-QACL6</PRE> <P>&nbsp;</P> <P><BR />tried manually adding nfs/* to QAVS2-QACL6 with setspn with no luck as per TR4073 we definitely need SPN nfs/qavs2-qacl6.qa.arkivio.com for qavs2-qacl6.qa.arkivio.com instead of nfs-qavs2-qacl6.qa.arkivio.com(evening not exist in DNS)<BR />any idea how to create nfs/qavs2-qacl6.qa.arkivio.com for qavs2-qacl6.qa.arkivio.com?(tried in ADSI EDIT deleting current qavs2-qacl6.qa.arkivio.com,and rename nfs-qavs2-qacl6.qa.arkivio.com to qavs2-qacl6.qa.arkivio.com,it's not working)&nbsp;&nbsp;</P> <P>&nbsp;</P> <PRE>C:\Users\administrator.QA&gt;setspn.exe -S nfs/qavs2-qacl6 qavs2-qacl6 Registering ServicePrincipalNames for CN=QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivio,DC=com nfs/qavs2-qacl6 Updated object C:\Users\administrator.QA&gt;setspn.exe -S NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6 Checking domain DC=qa,DC=arkivio,DC=com CN=NFS-QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivio,DC=com nfs/qavs2-qacl6.qa.arkivio.com nfs/nfs-qavs2-qacl6.qa.arkivio.com nfs/NFS-QAVS2-QACL6 HOST/nfs-qavs2-qacl6.qa.arkivio.com HOST/NFS-QAVS2-QACL6 Duplicate SPN found, aborting operation! </PRE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;i suspect following mount error is caused by nfs/* is missing on qavs2-qacl6.qa.arkivio.com</P> <PRE>[auto-stor@qa.arkivio.com@ark-centos-smb4 ~]$ sudo mount -t nfs -o v4.0,sec=krb5 qavs2-qacl6.qa.arkivio.com:/vol2/vol2nfs1 /nfs4-mnt-dir [sudo] password for auto-stor@qa.arkivio.com: mount.nfs: access denied by server while mounting qavs2-qacl6.qa.arkivio.com:/vol2/vol2nfs1</PRE> <P>&nbsp;</P> Tue, 27 Mar 2018 03:32:36 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/No-nfs-SPN-generated/m-p/139164#M9006 XQ10907RS 2018-03-27T03:32:36Z