How do I add SPNs to use kerberos for a DNS name for a Unity Nas Server?

Update - So because I knew this worked on vnx, I tried setting up another test using a DNS A Record to connect to a cifs server on the vnx. I tried just running the commands to add the SPNs to Active Directory and it didn't work, I got the same prompt for a username and password.
Then I deleted the SPNs and tried running the commands from the vnx itself using the server_cifs -setspn command and it worked, I was able to connect to the shares using the DNS name.

So to me there is something that is configured locally by running these commands. We just need to see how we can do that on Unity

Anyone using a DNS name to connect to a Unity?

It will work with NTLM - I don't know the impact of that either on the Unity or the DC's

Last update I got was there is a command in the service CLI but no one has told me what code version it will be in...

It's not in the VSA

UnityOS

4.1.2.9257522

4/11/2017

Here is the "rumored" command:

16:50:38 service@none spa:~> svc_cifssupport NASServer -setspn

Handle security principals of a joined computer name.

Usage: svc_cifssupport { | ALL} -setspn

    -list -compname

        Display all Service Principal Names (SPN) for the specified FQDN server,

        both for the SMB server and for the KDC Windows Active Directory entry.

    | -add -compname -domain -admin

        Add the specified SPN to both NAS server and Active Directory.

    | -delete -compname -domain -admin }

        Delete the specified SPN to both NAS server and Active Directory.

Note :  It is required to add SPNs for disjoint domain configurations where the DNS domain is

different than authentication domain (Kerberos Realm). For example, if the DNS server zone

includes a DNS CNAME record which maps the compname. to compname. ,

then the SPN host/compname. must be added for the compname.

As Mani said - if you cant wait a few weeks for 4.2 open a service request and customer service should be able to do that via a dialin on your system and current OE

Yeah, so they were able to run the command for me.

It requires root, which we as customers can't get so now I have to schedule a downtime for this huge application and hope that I can get someone online with me at the right time.

Basically I have:

DNS Name ---> old VNX cifs server IP

migrating to

DNS Name ----> New Unity NAS Server

I am going to try removing the SPNs from AD for the VNX computer account, but leave the keytab entries and see if we can just use NTLM for the middle of the night cutover and then work with support to add the spn's during the day.

Hi mizraz,

If you cant get downtime in the near future, you may as well wait for the 4.2 and you can do this yourself.

It is always good to test this out by creating a new NAS Server. (spare IP address, domain join rights are required). That way, you can test the setspn requirement (with or without dell emc support) and be ready for the actual cifs server.

I agree - always a good idea to test and with Unity its really easy to setup a small test NAS server
r

Does Unity data import support Alias ?

There is no option to specify Alias like we had in VNX or celerra.

Hi,

We also have different DNS and AD domain name and some of the NAS shares are accessed with DNS names. As we now have upgraded to the 4.2 series we have the possibility to add the SPN DNS names to the unity's NAS to enable the kerberos authentication. As the EMC documentation / KB articles are still bit lacking here is the procedure we used to test this in unity VSA. (Production will be done in next maintenance window.) This is a combination of old VNX command and instructions and unitys manual and kb entries.

Example below has been modified to use emc as a domain name insted of our domain name.

Problem description:

- DNS Domain name and AD domain name of the NAS servers are different. NAS is accessed with DNS name not AD domain name

- Authentication works, but it is using NTLM not kerberos ticket when accessing share with DNS name (use  svc_cifssupport VDM-name -audit to see if kerberos or ntlm is used)

- svc_cifssupport shows warning on the possible SPN mismatches.

Example of warning:

svc_cifssupport  [nas server name] -audit

|||| WARNING: Possible SPN mismatches for the following servers. An SPN mismatch occurs when NTLM authentication is used, but Kerberos authentication should have been possible.

||| Server(servername AD domain), Requested Server(servername FQDN), CntFrmReboot=4

To fix this and enable kerberos authentication to the share when using domain name you need to add a manual SPN record for the DNS domain name to the NAS server.

Here is an example of the command used to add the new SPN record when:

AD domain emc.local, DNS domain emc.com for a nas server name unity-vsa .

Register CIFS before host entry (KB 503643)

svc_cifssupport unity-vsa -setspn -add cifs/unity-vsa.emc.com@EMC.LOCAL -compname unity-vsa -domain emc.local -admin Administrator

svc_cifssupport unity-vsa -setspn -add host/unity-vsa.emc.com@EMC.LOCAL -compname unity-vsa -domain emc.local -admin Administrator

This is what we are currently testing on our test unity VSA environment and it seems to work as now kerberos is used to authenticat users when connecting with DNS name to the share. (Masked DNS and AD domain names to emc from our domain names).

Hopefully this is helpful for the next user needing to configure SPN records and they don't need to spend hours of going through manuals and kb entries.