PowerScale: OneFS: AD Server Missing Needed SPNs Alert for NFS HTTP HDFS

Summary: Administrators may sometimes observe alerts that indicate the Service Principal Names for the NFS, HTTP, or HDFS services are missing.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Under certain conditions, an alert for missing SPNs may be generated. SPN checks are typically performed after the following events on the cluster occur:
  • Cluster or node rebooted
  • CELOG processes and or services are reset
  • Periodic CELOG checks through the CELOG monitor
  • Addition of a new AD provider
  • Network configuration change (if the pool is configured with SmartConnect zone names and aliases)
A PowerScale OneFS cluster reports the following alert: 
AD server missing needed SPN(s) HOST/sczone.domain.com, HOST/sczone, nfs/sczone.domain.com, nfs/sczone, hdfs/sczone.domain.com, hdfs/sczone; try 'isi auth ads spn check'

Cause

The CELOG alert system periodically runs a check against each AD provider to verify that SPNs are properly registered, and may report that SPNs are "missing." This also occurs on startup when booting up nodes.

The logic used by the CELOG check is as follows:
  1. For each AD provider, check existing registered SPNs against configured SmartConnect zone names and aliases. If the pool with a SmartConnect zone name configured was modified (for example, including a new alias), then an SPN check against the AD provider would check against the updated information.
  2. In earlier versions of OneFS, If any NFS export was configured has a 'krb5' security flavor, it would assume that NFS SPNs are needed for each SC zone/alias. As of 8.0.0.5/8.0.1.2/8.1.0.1 and later, NFS is assumed missing by default (if not already registered). The NFS export security flavor checks were removed.
  3. If HDFS is licensed, OneFS assumes that HDFS SPNs are needed for each SC zone/alias. This is true even if the service itself is not enabled on the cluster.
  4. HTTP SPN checks are automatically done regardless of cluster configuration as the service is enabled by default. There are no special conditions for an HTTP SPN check.
The alert is most prevalent when the processes load and or reload, when the cluster is rebooted, and when an AD provider is created on the cluster.
 
Note: CELOG and isi auth ads spn check are mutually exclusive of each other and use different functions or logic in determining missing SPNs. For example, the isi auth ads spn check command has no checks for NFS, HTTP or HDFS-based SPNs. SC zones with no corresponding SPN are assumed missing.

Resolution

The alert itself is advisory in nature and applies to one or more AD domains. SPNs are not necessarily required from a OneFS perspective, except for the cluster name itself, which is registered on default. Default SPNs such as those should never be removed. Rather, they are required in order for clients to connect to the cluster using Kerberos authentication through SMB, NFS, or HDFS. Kerberos with SMB are covered under the HOST SPN as CIFS is under the umbrella of the HOST SPN scope.

See the administration guides for your version of OneFS at PowerScale OneFS Info Hubs for instructions on how to manage SPNs from the cluster.

Otherwise, the alert may be ignored if the SPNs are deemed unnecessary, or they can be registered to prevent the alert in the future.

Affected Products

PowerScale OneFS

Products

PowerScale OneFS
Article Properties
Article Number: 000167340
Article Type: Solution
Last Modified: 24 May 2024
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.