Network Storage Protocols Discussions

No nfs SPN generated

XQ10907RS

Hey netapper

i'm configuring nfsv4 on netapp c-mode 9.1,there is a issue blocking me that is no nfs SPN generated on c-mode server after running

vserver nfs kerberos interface*> modify -vserver qavs2 -lif lif2 -kerberos enabled -spn nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM -admin-username administrator

 

qacl6::vserver nfs kerberos interface> show
               Logical
Vserver        Interface     Address         Kerberos SPN
-------------- ------------- --------------- -------- -----------------------
qavs1          lif1          10.17.16.108    disabled -
qavs2          lif2          10.17.16.109    enabled  nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM
2 entries were displayed.

 

only host/* SPNs returned,i believe they are created when joining c-mode to domain actually,also tried add nfs/qavs2-qacl6.qa.arkivio.com via ADSI EDIT on c-mode account get error saying added SPN is not unique in domain,any idea how can i make nfs/* spn comes up?

thanks

 

C:\>setspn -L -C qavs2-qacl6
Registered ServicePrincipalNames for CN=QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivi
o,DC=com:
        HOST/qavs2-qacl6.qa.arkivio.com
        HOST/QAVS2-QACL6
1 ACCEPTED SOLUTION

GidonMarcus

hi

 

the host SPN is like a wildcard and should cover for all

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

The built-in SPNs that are recognized for computer accounts are:

………

These SPNs are recognized for computer accounts if the computer has a host SPN. Unless they are explicitly placed on objects, a host SPN can substitute for any of the above SPNs

 

 

if you still having an issue (i saw products that hardcoded the dype of delegation they checking for - so indeed not everyone honer this "HOST" delegation). and want to create one the right way is with the following command (in windows):

setspn.exe -S NFS/QAVS2-QACL6 QAVS2-QACL6

setspn.exe -S NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6

 

to revert:

setspn.exe -D NFS/QAVS2-QACL6 QAVS2-QACL6

setspn.exe -D NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

2 REPLIES 2

GidonMarcus

hi

 

the host SPN is like a wildcard and should cover for all

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

The built-in SPNs that are recognized for computer accounts are:

………

These SPNs are recognized for computer accounts if the computer has a host SPN. Unless they are explicitly placed on objects, a host SPN can substitute for any of the above SPNs

 

 

if you still having an issue (i saw products that hardcoded the dype of delegation they checking for - so indeed not everyone honer this "HOST" delegation). and want to create one the right way is with the following command (in windows):

setspn.exe -S NFS/QAVS2-QACL6 QAVS2-QACL6

setspn.exe -S NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6

 

to revert:

setspn.exe -D NFS/QAVS2-QACL6 QAVS2-QACL6

setspn.exe -D NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

XQ10907RS

Hi GidonMarcus, thanks for the explanation for setspn

After struggling with c-mode SPN i found nfs/* SPN acutally created on NFS-QAVS2-QACL6 account after running

vserver nfs kerberos interface*> modify -vserver qavs2 -lif lif2 -kerberos enabled -spn nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM -admin-username administrator

 

 

C:\Users\administrator.QA>setspn -L -C NFS-QAVS2-QACL6
Registered ServicePrincipalNames for CN=NFS-QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivio,DC=com:
        nfs/qavs2-qacl6.qa.arkivio.com
        nfs/nfs-qavs2-qacl6.qa.arkivio.com
        nfs/NFS-QAVS2-QACL6
        HOST/nfs-qavs2-qacl6.qa.arkivio.com
        HOST/NFS-QAVS2-QACL6

 

 
nfs/* is missing on QAVS2-QACL6

C:\Users\administrator.QA>setspn -L -C QAVS2-QACL6
Registered ServicePrincipalNames for CN=QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivio,DC=com:
        HOST/qavs2-qacl6.qa.arkivio.com
        HOST/QAVS2-QACL6

 


tried manually adding nfs/* to QAVS2-QACL6 with setspn with no luck as per TR4073 we definitely need SPN nfs/qavs2-qacl6.qa.arkivio.com for qavs2-qacl6.qa.arkivio.com instead of nfs-qavs2-qacl6.qa.arkivio.com(evening not exist in DNS)
any idea how to create nfs/qavs2-qacl6.qa.arkivio.com for qavs2-qacl6.qa.arkivio.com?(tried in ADSI EDIT deleting current qavs2-qacl6.qa.arkivio.com,and rename nfs-qavs2-qacl6.qa.arkivio.com to qavs2-qacl6.qa.arkivio.com,it's not working)  

 

C:\Users\administrator.QA>setspn.exe -S nfs/qavs2-qacl6 qavs2-qacl6
Registering ServicePrincipalNames for CN=QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivio,DC=com
        nfs/qavs2-qacl6
Updated object

C:\Users\administrator.QA>setspn.exe -S NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6
Checking domain DC=qa,DC=arkivio,DC=com
CN=NFS-QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivio,DC=com
        nfs/qavs2-qacl6.qa.arkivio.com
        nfs/nfs-qavs2-qacl6.qa.arkivio.com
        nfs/NFS-QAVS2-QACL6
        HOST/nfs-qavs2-qacl6.qa.arkivio.com
        HOST/NFS-QAVS2-QACL6

Duplicate SPN found, aborting operation!  

 

 

 

 i suspect following mount error is caused by nfs/* is missing on qavs2-qacl6.qa.arkivio.com

[auto-stor@qa.arkivio.com@ark-centos-smb4 ~]$ sudo mount -t nfs -o v4.0,sec=krb5 qavs2-qacl6.qa.arkivio.com:/vol2/vol2nfs1 /nfs4-mnt-dir
[sudo] password for auto-stor@qa.arkivio.com:
mount.nfs: access denied by server while mounting qavs2-qacl6.qa.arkivio.com:/vol2/vol2nfs1

 

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public