https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Can-t-join-RedHat-IDM-Domain/m-p/137137#M24852 <P>I have exactly the same symptoms - looking at the logs in the KDC server I can see that my admin user (i.e. the user I am using to create the principle and retrieve the keytab) is problematic</P><P>&nbsp;</P><P>/var/log/kadmind.log</P><P>Unauthorized request: kadm5_get_principal, nfs/blah@REALM, client=myadminuser@REALM, service=kadmin/admin@REALM</P><P>&nbsp;</P><P>The issue appears to relate to the privs that a normal user vs an admin user has.</P><P>&nbsp;</P><P>I think the best option if possible is to create the principal and keytab file using ipa commands on a linux box and to temporarily put it on a webserver.</P><P>&nbsp;</P><P>Alternatively you may be able to configure IPA to add the relevant privs to your account so it can do that with password auth.</P> Mon, 08 Jan 2018 16:15:38 GMT ac123 2018-01-08T16:15:38Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Can-t-join-RedHat-IDM-Domain/m-p/124415#M22325 <P>OnCommand 9.0, trying to join an NFS SVM to the RedHat 7.2 IDM Domain and it's failing saying the SPN already exists, which it absolutely doesn't. &nbsp;Just brought up this IDM domain so nothing is joined to it yet.</P><P>&nbsp;</P><P>I've tried renaming the SVM and joining it with a new name, still get the same SPN already exists failure. &nbsp;We can't do autoFS of user home directories without it joined to the domain supposedly. &nbsp;Any ideas? &nbsp;Thanks!</P><P>&nbsp;</P><P>&nbsp;</P><P>la-6pna01::vserver nfs&gt; kerberos-config modify -vserver la-6pnasvmnfs03 -lif la-6pnasvmnfs02_nfs_lif1 -kerberos enabled -spn nfs/la-6pnasvmnfs03.internal-idm.domain.com@INTERNAL-IDM.DOMAIN.COM -admin-username mdadmin</P><P>Password:</P><P>Error: NFS Kerberos bind SPN procedure failed<BR />[ 0 ms] Creating account in Unix KDC<BR />[ 43] Successfully connected to ip 10.85.128.8, port 749 using<BR />TCP<BR />**[ 52] FAILURE: Unexpected state: Error 1142 at<BR />** file:src/utils/secd_kadmin_utils.cpp<BR />** func:createVifKrbAccountUsingKadmin line:219<BR />**[ 52] FAILURE: spn already exists. Failed to reuse spn<BR />** 'nfs/la-6pnasvmnfs03.internal-idm.domain.com@INTER<BR />** NAL-IDM.DOMAIN.COM' using admin spn<BR />** 'mdadmin@INTERNAL-IDM.DOMAIN.COM', error: Unknown<BR />** code 0<BR />[ 53] Uncaptured failure while creating account</P><P>Error: command failed: Failed to enable NFS Kerberos on LIF<BR />"la-6pnasvmnfs02_nfs_lif1". Failed to bind service principal name on LIF<BR />"la-6pnasvmnfs02_nfs_lif1". cifs smb kadmin error.</P> Wed, 19 Oct 2016 19:42:22 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Can-t-join-RedHat-IDM-Domain/m-p/124415#M22325 MDiOrio 2016-10-19T19:42:22Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Can-t-join-RedHat-IDM-Domain/m-p/137137#M24852 <P>I have exactly the same symptoms - looking at the logs in the KDC server I can see that my admin user (i.e. the user I am using to create the principle and retrieve the keytab) is problematic</P><P>&nbsp;</P><P>/var/log/kadmind.log</P><P>Unauthorized request: kadm5_get_principal, nfs/blah@REALM, client=myadminuser@REALM, service=kadmin/admin@REALM</P><P>&nbsp;</P><P>The issue appears to relate to the privs that a normal user vs an admin user has.</P><P>&nbsp;</P><P>I think the best option if possible is to create the principal and keytab file using ipa commands on a linux box and to temporarily put it on a webserver.</P><P>&nbsp;</P><P>Alternatively you may be able to configure IPA to add the relevant privs to your account so it can do that with password auth.</P> Mon, 08 Jan 2018 16:15:38 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/Can-t-join-RedHat-IDM-Domain/m-p/137137#M24852 ac123 2018-01-08T16:15:38Z