IHAC is testing on cDOT831P1 NFSV4+Kerberos(MIT)
I met a question when want to change the LIF SPN, the test scenario is as below:
1. The LIFs have enabled Kerberos, and have their SPN. Now want to change to another SPN
nyn001c1::*> vserver nfs kerberos inter show
Logical
Vserver Interface Address Kerberos SPN
-------------- ------------- --------------- -------- -----------------------
nyn001f1 nyn001f1_data1
172.31.120.75 enabled nfs/nyn001f1.xx.com@is1.abc
nyn001f1 nyn001f1_data2
172.31.120.76 enabled nfs/nyn001f2.xx.com@is1.abc
2. nfs Kerberos modify, error indicates that must disable Kerberos first;
nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos enabled -spn nfs/nyn001f3.xx.com@is1.abc -keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f3.keytab
Error: command failed: Kerberos is already enabled on this LIF -> should disable Kerberos interface first
3. Disable Kerberos interface
nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled
Username: -> admin-username and passwd are needed, but there is no username and passwd because keytab-file is used
Error: command failed: The "admin-user-name" parameter is empty. Please specify a value for "keytab-uri", or for "admin-user-name" and "admin-password".
nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled -
-spn -admin-username -keytab-uri -ou
-force
nyn001c1::*> vserver nfs kerberos interface modify -vserver nyn001f1 -lif nyn001f1_data2 -kerberos disabled -keytab-uri http://nfsweb-na/u/una-infra/htdocs/cdot/keytab/nyn001f2.keytab
Error: command failed: Cannot specify service principal name or Keytab URL while disabling Kerberos.
nyn001c1::*>
So how can I disable Kerberos interface and modify the LIF SPN?