Network and Storage Protocols

No nfs SPN generated

XQ10907RS
6,204 Views

Hey netapper

i'm configuring nfsv4 on netapp c-mode 9.1,there is a issue blocking me that is no nfs SPN generated on c-mode server after running

vserver nfs kerberos interface*> modify -vserver qavs2 -lif lif2 -kerberos enabled -spn nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM -admin-username administrator

 

qacl6::vserver nfs kerberos interface> show
               Logical
Vserver        Interface     Address         Kerberos SPN
-------------- ------------- --------------- -------- -----------------------
qavs1          lif1          10.17.16.108    disabled -
qavs2          lif2          10.17.16.109    enabled  nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM
2 entries were displayed.

 

only host/* SPNs returned,i believe they are created when joining c-mode to domain actually,also tried add nfs/qavs2-qacl6.qa.arkivio.com via ADSI EDIT on c-mode account get error saying added SPN is not unique in domain,any idea how can i make nfs/* spn comes up?

thanks

 

C:\>setspn -L -C qavs2-qacl6
Registered ServicePrincipalNames for CN=QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivi
o,DC=com:
        HOST/qavs2-qacl6.qa.arkivio.com
        HOST/QAVS2-QACL6
1 ACCEPTED SOLUTION

GidonMarcus
6,187 Views

hi

 

the host SPN is like a wildcard and should cover for all

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

The built-in SPNs that are recognized for computer accounts are:

………

These SPNs are recognized for computer accounts if the computer has a host SPN. Unless they are explicitly placed on objects, a host SPN can substitute for any of the above SPNs

 

 

if you still having an issue (i saw products that hardcoded the dype of delegation they checking for - so indeed not everyone honer this "HOST" delegation). and want to create one the right way is with the following command (in windows):

setspn.exe -S NFS/QAVS2-QACL6 QAVS2-QACL6

setspn.exe -S NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6

 

to revert:

setspn.exe -D NFS/QAVS2-QACL6 QAVS2-QACL6

setspn.exe -D NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

2 REPLIES 2

GidonMarcus
6,188 Views

hi

 

the host SPN is like a wildcard and should cover for all

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731241(v=ws.11)

The built-in SPNs that are recognized for computer accounts are:

………

These SPNs are recognized for computer accounts if the computer has a host SPN. Unless they are explicitly placed on objects, a host SPN can substitute for any of the above SPNs

 

 

if you still having an issue (i saw products that hardcoded the dype of delegation they checking for - so indeed not everyone honer this "HOST" delegation). and want to create one the right way is with the following command (in windows):

setspn.exe -S NFS/QAVS2-QACL6 QAVS2-QACL6

setspn.exe -S NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6

 

to revert:

setspn.exe -D NFS/QAVS2-QACL6 QAVS2-QACL6

setspn.exe -D NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

XQ10907RS
6,162 Views

Hi GidonMarcus, thanks for the explanation for setspn

After struggling with c-mode SPN i found nfs/* SPN acutally created on NFS-QAVS2-QACL6 account after running

vserver nfs kerberos interface*> modify -vserver qavs2 -lif lif2 -kerberos enabled -spn nfs/qavs2-qacl6.qa.arkivio.com@QA.ARKIVIO.COM -admin-username administrator

 

 

C:\Users\administrator.QA>setspn -L -C NFS-QAVS2-QACL6
Registered ServicePrincipalNames for CN=NFS-QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivio,DC=com:
        nfs/qavs2-qacl6.qa.arkivio.com
        nfs/nfs-qavs2-qacl6.qa.arkivio.com
        nfs/NFS-QAVS2-QACL6
        HOST/nfs-qavs2-qacl6.qa.arkivio.com
        HOST/NFS-QAVS2-QACL6

 

 
nfs/* is missing on QAVS2-QACL6

C:\Users\administrator.QA>setspn -L -C QAVS2-QACL6
Registered ServicePrincipalNames for CN=QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivio,DC=com:
        HOST/qavs2-qacl6.qa.arkivio.com
        HOST/QAVS2-QACL6

 


tried manually adding nfs/* to QAVS2-QACL6 with setspn with no luck as per TR4073 we definitely need SPN nfs/qavs2-qacl6.qa.arkivio.com for qavs2-qacl6.qa.arkivio.com instead of nfs-qavs2-qacl6.qa.arkivio.com(evening not exist in DNS)
any idea how to create nfs/qavs2-qacl6.qa.arkivio.com for qavs2-qacl6.qa.arkivio.com?(tried in ADSI EDIT deleting current qavs2-qacl6.qa.arkivio.com,and rename nfs-qavs2-qacl6.qa.arkivio.com to qavs2-qacl6.qa.arkivio.com,it's not working)  

 

C:\Users\administrator.QA>setspn.exe -S nfs/qavs2-qacl6 qavs2-qacl6
Registering ServicePrincipalNames for CN=QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivio,DC=com
        nfs/qavs2-qacl6
Updated object

C:\Users\administrator.QA>setspn.exe -S NFS/QAVS2-QACL6.qa.arkivio.com QAVS2-QACL6
Checking domain DC=qa,DC=arkivio,DC=com
CN=NFS-QAVS2-QACL6,CN=Computers,DC=qa,DC=arkivio,DC=com
        nfs/qavs2-qacl6.qa.arkivio.com
        nfs/nfs-qavs2-qacl6.qa.arkivio.com
        nfs/NFS-QAVS2-QACL6
        HOST/nfs-qavs2-qacl6.qa.arkivio.com
        HOST/NFS-QAVS2-QACL6

Duplicate SPN found, aborting operation!  

 

 

 

 i suspect following mount error is caused by nfs/* is missing on qavs2-qacl6.qa.arkivio.com

[auto-stor@qa.arkivio.com@ark-centos-smb4 ~]$ sudo mount -t nfs -o v4.0,sec=krb5 qavs2-qacl6.qa.arkivio.com:/vol2/vol2nfs1 /nfs4-mnt-dir
[sudo] password for auto-stor@qa.arkivio.com:
mount.nfs: access denied by server while mounting qavs2-qacl6.qa.arkivio.com:/vol2/vol2nfs1

 

Public