Active IQ Unified Manager Discussions

Can't join RedHat IDM Domain

MDiOrio
4,197 Views

OnCommand 9.0, trying to join an NFS SVM to the RedHat 7.2 IDM Domain and it's failing saying the SPN already exists, which it absolutely doesn't.  Just brought up this IDM domain so nothing is joined to it yet.

 

I've tried renaming the SVM and joining it with a new name, still get the same SPN already exists failure.  We can't do autoFS of user home directories without it joined to the domain supposedly.  Any ideas?  Thanks!

 

 

la-6pna01::vserver nfs> kerberos-config modify -vserver la-6pnasvmnfs03 -lif la-6pnasvmnfs02_nfs_lif1 -kerberos enabled -spn nfs/la-6pnasvmnfs03.internal-idm.domain.com@INTERNAL-IDM.DOMAIN.COM -admin-username mdadmin

Password:

Error: NFS Kerberos bind SPN procedure failed
[ 0 ms] Creating account in Unix KDC
[ 43] Successfully connected to ip 10.85.128.8, port 749 using
TCP
**[ 52] FAILURE: Unexpected state: Error 1142 at
** file:src/utils/secd_kadmin_utils.cpp
** func:createVifKrbAccountUsingKadmin line:219
**[ 52] FAILURE: spn already exists. Failed to reuse spn
** 'nfs/la-6pnasvmnfs03.internal-idm.domain.com@INTER
** NAL-IDM.DOMAIN.COM' using admin spn
** 'mdadmin@INTERNAL-IDM.DOMAIN.COM', error: Unknown
** code 0
[ 53] Uncaptured failure while creating account

Error: command failed: Failed to enable NFS Kerberos on LIF
"la-6pnasvmnfs02_nfs_lif1". Failed to bind service principal name on LIF
"la-6pnasvmnfs02_nfs_lif1". cifs smb kadmin error.

1 REPLY 1

ac123
3,454 Views

I have exactly the same symptoms - looking at the logs in the KDC server I can see that my admin user (i.e. the user I am using to create the principle and retrieve the keytab) is problematic

 

/var/log/kadmind.log

Unauthorized request: kadm5_get_principal, nfs/blah@REALM, client=myadminuser@REALM, service=kadmin/admin@REALM

 

The issue appears to relate to the privs that a normal user vs an admin user has.

 

I think the best option if possible is to create the principal and keytab file using ipa commands on a linux box and to temporarily put it on a webserver.

 

Alternatively you may be able to configure IPA to add the relevant privs to your account so it can do that with password auth.

Public