Re: cannot update kerberos keytab (Ontap 9.11)

yongbin

I accidentally update my nfs service kerberos keytab in a different machine with `ipa-getkeytab` command. After that nfs clients disconnected from the storage one by one. (after credentials are expired I guess).

So I need to update kerberos keytab and register it to Ontap.

I ran a command.

vserver nfs kerberos interface enable -lif stor01 -vserver vs1 -keytab-uri http://url-to/kerberos.keytab

Then I got this result.

Error: command failed: Kerberos is already enabled on this LIF

So I try to disable it first instead.

vserver nfs kerberos interface disable -lif stor01 -vserver vs1

I typed admin username and password and 'y' to the following instruction.

Warning: This command deletes the service principal name "nfs/stor01.in.kzmdstu.com@IN.KZMDSTU.COM" from the machine account on the KDC. Do you want to continue? {y|n}:

I got this error.

Error: command failed: Failed to disable NFS Kerberos on LIF "stor01". Failed to delete the account associated with the Kerberos service principal name. Reason: Kerberos Error: Unknown error.

So I cannot enable nor disable.

How can I inspect the problem?

yongbin

after set -previliege diagnostic

I was able to disable with vserver nfs kerberos interface disable -lif stor01 -vserver vs1 -force true

then enable it withvserver nfs kerberos interface enable ...

but still it doesn't allow nfs access.

event show log shows me this log

1/20/2026 20:46:48 netapp01 ERROR secd.nfsAuth.problem: vserver (vs1) General NFS authorization problem. Error: RPC accept GSS token procedure failed
[ 0 ms] Using the NFS service credential for logical interface 1026 (SPN='nfs/stor01') from cache.
**[ 0] FAILURE: Failed to accept the context: Unspecified GSS failure. Minor code may provide more information (minor: Decrypt integrity check failed).

Which is weird because I've just updated all nfs keytabs...