When the initial CIFS server is created, the SPNs are defined by the CIFS server name.
For example, if I create a CIFS server named "CIFS" then my SPNs are host/cifs.
::*> cifs server create -vserver parisi -cifs-server CIFS -domain NTAP.LOCAL
PS C:\> setspn /L CIFS
Registered ServicePrincipalNames for CN=CIFS,CN=Computers,DC=NTAP,DC=local:
HOST/cifs.ntap.local
HOST/CIFS
If my DNS name is not "CIFS" (ie, if my users don't use \\cifs to access shares), then I won't use Kerberos. If I use an IP address and there's no corresponding PTR for the IP, then I won't use Kerberos.
The CIFS server I created has no DNS entries; these don't get created by default unless you enable dynamic DNS.
My SVM doesn't have that enabled:
::*> dynamic-update show -vserver parisi
(vserver services name-service dns dynamic-update show)
Vserver: parisi
Is Dynamic DNS Update Enabled?: false
Use Secure Dynamic Update?: false
Vserver FQDN to Be Used for DNS Updates: -
Time to Live for DNS Updates: 24h
Here's the DNS lookup for that new CIFS server:
C:\>nslookup 10.193.67.230 10.193.67.236
Server: oneway.ntap.local
Address: 10.193.67.236
*** oneway.ntap.local can't find 10.193.67.230: Non-existent domain
C:\>nslookup cifs 10.193.67.236
Server: oneway.ntap.local
Address: 10.193.67.236
*** oneway.ntap.local can't find cifs: Non-existent domain
As a result, I use NTLM:
::*> cifs session show -node * -vserver parisi -fields auth-mechanism
node vserver session-id connection-id auth-mechanism
------------------ ------- ------------------- ------------- --------------
node2 parisi 6974949922890059117 3649016229 NTLMv2
To use Kerberos, I need DNS records (A/AAAA and PTR).
C:\>nslookup cifs 10.193.67.236
Server: oneway.ntap.local
Address: 10.193.67.236
Name: cifs.NTAP.local
Address: 10.193.67.230
Now when I access that name, I use Kerberos:
C:\>net use * \\cifs\cifs
Drive Z: is now connected to \\cifs\cifs.
The command completed successfully.
::*> cifs session show -node * -vserver parisi -fields auth-mechanism
node vserver session-id connection-id auth-mechanism
------------------ ------- ------------------- ------------- --------------
node2 parisi 6974949922890059118 3649016230 Kerberos
If I want to use a *different* DNS name, I need A/AAAA and PTR records for the name I want to use (or a CNAME record that points to the original DNS record), and I need to create a new SPN for that account.
Here's the CNAME:
C:\>nslookup cifsalias 10.193.67.236
Server: oneway.ntap.local
Address: 10.193.67.236
Name: cifs.NTAP.local
Address: 10.193.67.230
Aliases: cifsalias.NTAP.local
Here's the new SPNs:
C:\>setspn /a cifs/cifsalias CIFS
Checking domain DC=NTAP,DC=local
Registering ServicePrincipalNames for CN=CIFS,CN=Computers,DC=NTAP,DC=local
cifs/cifsalias
Updated object
C:\>setspn /a cifs/cifsalias.ntap.local CIFS
Checking domain DC=NTAP,DC=local
Registering ServicePrincipalNames for CN=CIFS,CN=Computers,DC=NTAP,DC=local
cifs/cifsalias.ntap.local
Updated object
C:\>setspn /L CIFS
Registered ServicePrincipalNames for CN=CIFS,CN=Computers,DC=NTAP,DC=local:
cifs/cifsalias.ntap.local
cifs/cifsalias
HOST/cifs.ntap.local
HOST/CIFS
And when I access via that CNAME, I use Kerberos:
C:\>net use * \\cifsalias\cifs
Drive Z: is now connected to \\cifsalias\cifs.
The command completed successfully.
::*> cifs session show -node * -vserver parisi -fields auth-mechanism
node vserver session-id connection-id auth-mechanism
------------------ ------- ------------------- ------------- --------------
node2 parisi 6974949922890059122 3649016234 Kerberos