ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

cannot update kerberos keytab (Ontap 9.11)

yongbin
‎2026-01-20 02:30 AM
909 Views

I accidentally update my nfs service kerberos keytab in a different machine with `ipa-getkeytab` command. After that nfs clients disconnected from the storage one by one. (after credentials are expired I guess).

 

So I need to update kerberos keytab and register it to Ontap.

 

I ran a command.

 

vserver nfs kerberos interface enable -lif stor01 -vserver vs1 -keytab-uri http://url-to/kerberos.keytab

 

Then I got this result.

 

Error: command failed: Kerberos is already enabled on this LIF

 

 

So I try to disable it first instead.

 

vserver nfs kerberos interface disable -lif stor01 -vserver vs1

 

I typed admin username and password and 'y' to the following instruction.

 

Warning: This command deletes the service principal name "nfs/stor01.in.kzmdstu.com@IN.KZMDSTU.COM" from the machine account on the KDC. Do you want to continue? {y|n}:

 

I got this error.

 

Error: command failed: Failed to disable NFS Kerberos on LIF "stor01". Failed to delete the account associated with the Kerberos service principal name. Reason: Kerberos Error: Unknown error.

 

So I cannot enable nor disable.

How can I inspect the problem? 

0 Kudos
4 REPLIES 4

yongbin
‎2026-01-20 04:19 AM
887 Views

after set -previliege diagnostic

 

I was able to disable with vserver nfs kerberos interface disable -lif stor01 -vserver vs1 -force true

then enable it withvserver nfs kerberos interface enable ...

but still it doesn't allow nfs access.

 

event show log shows me this log 

 

1/20/2026 20:46:48 netapp01 ERROR secd.nfsAuth.problem: vserver (vs1) General NFS authorization problem. Error: RPC accept GSS token procedure failed
[ 0 ms] Using the NFS service credential for logical interface 1026 (SPN='nfs/stor01') from cache.
**[ 0] FAILURE: Failed to accept the context: Unspecified GSS failure. Minor code may provide more information (minor: Decrypt integrity check failed).

 

Which is weird because I've just updated all nfs keytabs...

0 Kudos

Baefisch
‎2026-02-17 05:48 AM
In response to yongbin
702 Views

get the same. Any new information here?

Not able to user Kerberos on Redhat IDM and Netapp NFS v4. 

0 Kudos

yongbin
‎2026-02-19 04:50 AM
In response to Baefisch
690 Views
@Baefisch wrote:

get the same. Any new information here?

Not able to user Kerberos on Redhat IDM and Netapp NFS v4. 

For me, clients are reconnected after some time (some hours) from the fix. I guess it because of cache system. But I am not sure.

 

One thing I noticed is macs were able to connect right away with the fix. but linux machines took some time.

 

Hope it helps.

 

 

0 Kudos

Baefisch
‎2026-03-09 12:29 AM
672 Views

i was able to mount nfsV4 with kerberos. Created a Ticket on netapp an redhat. 
Especcaly mr. Diddens/Netapp did a create job and recreated my problem.

Strange. Exactly did the same steps. Beside the cat /etc/krb5.conf.d/crypto-policies  part. I wrote more options found in another post. But this are the steps which work. Maybe the ordering of the cryptos are important? 

 

######## Redhat ################

### create Keytab
kinit admin
ipa host-add svm-lan-nas-01-lif1.ipa.bla.blub
ipa service-add nfs/svm-lan-nas-01-lif1.ipa.bla.blub
##### only sha1 IMPORTANT!!!!
ipa-getkeytab -p nfs/svm-lan-nas-01-lif1.ipa.bla.blub -k ./nfs.keytab_for_ticket -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 


### copy keytab to any webserver
cp nfs.keytab_for_ticket wsv103.ipa.bla.blub:/var/www


#### Change Crypto Policy 
cat /etc/krb5.conf.d/crypto-policies 
[libdefaults]
permitted_enctypes =  aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192


######## on NETAPP svm  ########

## create export policy for kerberos
....

### create Kerberos Realm
ipa.bla.blub
KDC = 192.168.XX.XX
Port = 88 

### create LDAP Source 
lsv3000.ipa.bla.blub
dc=ipa,dc=bla,dc=blub
389
Anonymous
admin@ipa.bla.blub

## Kerberos to Unix mapping
(.+)\$@.*  --> root
host/.*@.* --> admin
(.*)@.*   --> \1

## enable LIF for Kerberos
 kerberos interface enable -lif svm-lan-nas-01-lif1 -vserver svm-lan-nas-01 -spn nfs/svm-lan-nas-01-lif1.ipa.bla.blub@ipa.bla.blub -keytab-uri http://wsv103.bla.blub/nfs.keytab_for_ticket 


##### Volume mount
mount -o sec=krb5,nfsvers=4,minorversion=1 svm-lan-nas-01-lif1.ipa.bla.blub:/wf2009_nfs_01 /mnt
0 Kudos
All Community Forums
Public