The transition to NetApp MS Azure AD B2C is complete. If you missed the pre-registration, you will be invited to reigister at next log in.
Please note that access to your NetApp data may take up to 1 hour.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

Can't join RedHat IDM Domain

MDiOrio

OnCommand 9.0, trying to join an NFS SVM to the RedHat 7.2 IDM Domain and it's failing saying the SPN already exists, which it absolutely doesn't.  Just brought up this IDM domain so nothing is joined to it yet.

 

I've tried renaming the SVM and joining it with a new name, still get the same SPN already exists failure.  We can't do autoFS of user home directories without it joined to the domain supposedly.  Any ideas?  Thanks!

 

 

la-6pna01::vserver nfs> kerberos-config modify -vserver la-6pnasvmnfs03 -lif la-6pnasvmnfs02_nfs_lif1 -kerberos enabled -spn nfs/la-6pnasvmnfs03.internal-idm.domain.com@INTERNAL-IDM.DOMAIN.COM -admin-username mdadmin

Password:

Error: NFS Kerberos bind SPN procedure failed
[ 0 ms] Creating account in Unix KDC
[ 43] Successfully connected to ip 10.85.128.8, port 749 using
TCP
**[ 52] FAILURE: Unexpected state: Error 1142 at
** file:src/utils/secd_kadmin_utils.cpp
** func:createVifKrbAccountUsingKadmin line:219
**[ 52] FAILURE: spn already exists. Failed to reuse spn
** 'nfs/la-6pnasvmnfs03.internal-idm.domain.com@INTER
** NAL-IDM.DOMAIN.COM' using admin spn
** 'mdadmin@INTERNAL-IDM.DOMAIN.COM', error: Unknown
** code 0
[ 53] Uncaptured failure while creating account

Error: command failed: Failed to enable NFS Kerberos on LIF
"la-6pnasvmnfs02_nfs_lif1". Failed to bind service principal name on LIF
"la-6pnasvmnfs02_nfs_lif1". cifs smb kadmin error.

1 REPLY 1

ac123

I have exactly the same symptoms - looking at the logs in the KDC server I can see that my admin user (i.e. the user I am using to create the principle and retrieve the keytab) is problematic

 

/var/log/kadmind.log

Unauthorized request: kadm5_get_principal, nfs/blah@REALM, client=myadminuser@REALM, service=kadmin/admin@REALM

 

The issue appears to relate to the privs that a normal user vs an admin user has.

 

I think the best option if possible is to create the principal and keytab file using ipa commands on a linux box and to temporarily put it on a webserver.

 

Alternatively you may be able to configure IPA to add the relevant privs to your account so it can do that with password auth.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public