PowerScale:OneFS:缺少 SPN 警报,而不匹配 SmartConnect 分区名称 (SCZN)
Summary: 群集在 Superna 故障切换或故障恢复后报告 AD 服务器缺少所需的 SPN,因为服务主体名称 (SPN) 与任何群集 SmartConnect 分区名称匹配。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
完成 Superna 故障切换/故障恢复过程以指定主 PowerScale 群集后,您可能会在辅助群集上看到以下错误。
2.365102 10/21 09:26 I 0 729106 AD server missing needed SPN(s) HOST/eyeglasstest.example.org, HOST/eyeglasstest, nfs/eyeglasstest.example.org, nfs/eyeglasstest; try 'isi auth ads spn check EXAMPLE.ORG' 2.365089 10/21 09:11 I 0 729106 AD server missing needed SPN(s) HOST/eyeglasstest.example.org, HOST/eyeglasstest, nfs/eyeglasstest.example.org, nfs/eyeglasstest; try 'isi auth ads spn check EXAMPLE.ORG'
经调查,您可能会发现缺少的 SPN 与辅助群集上的任何网络池名称都不同。
例如,如果 PowerScale clusterA 显示缺少的 SPN 警报:
群集名称:clusterA
SPN 检查报告缺少的 SPN:
clusterA-1# isi auth ads spn check EXAMPLE.ORG Possible missing SPNs: HOST/eyeglasstest.example.org HOST/eyeglasstest nfs/eyeglasstest.example.org nfs/eyeglasstest Possible extra SPNs: nfs/igls-original-eyeglasstest
所有网络池名称均不匹配,如“isi network pools list -v”所示。缺少的 SPN 和网络池名称必须完全匹配。包含部分缺失 SPN 的其他不相关的类似名称不计算在内。
clusterA 的网络池:
clusterA-1# isi network pools list -v ID: groupnet0.subnet0.pool0 Groupnet: groupnet0 Subnet: subnet0 Name: pool0 Rules: rule0 Access Zone: System Allocation Method: static Aggregation Mode: lacp Description: Initial 10gige-1 pool Firewall Policy: default_pools_policy Ifaces: 1:10gige-agg-1, 2:10gige-agg-1, 3:10gige-agg-1, 4:10gige-agg-1, 5:10gige-agg-1, 6:10gige-agg-1 IP Ranges: 172.20.14.41-172.20.14.46 IPv6 Perform DAD: No Rebalance Policy: auto SC Failover Policy: round_robin Static Routes: - NFSv3 RDMA RRoCE only: No SC Suspended Nodes: - SC Connect Policy: round_robin SC Zone: d8fs14.example.org SC DNS Zone Aliases: igls-ignore-vlan14.example.org SC Subnet: subnet0 SC TTL: 0 -------------------------------------------------------------------------------- ID: groupnet0.subnet1.Eyeglass_Pool Groupnet: groupnet0 Subnet: subnet1 Name: Eyeglass_Pool Rules: - Access Zone: EyeglassRunbookRobot Allocation Method: static Aggregation Mode: lacp Description: Firewall Policy: default_pools_policy Ifaces: 1:10gige-agg-1 IP Ranges: 172.20.15.6-172.20.15.6 IPv6 Perform DAD: No Rebalance Policy: auto SC Failover Policy: round_robin Static Routes: - NFSv3 RDMA RRoCE only: No SC Suspended Nodes: - SC Connect Policy: round_robin SC Zone: igls-original-eyeglasstest.example.org SC DNS Zone Aliases: igls-robot-oco.example.org SC Subnet: subnet1 SC TTL: 0 -------------------------------------------------------------------------------- ID: groupnet0.subnet1.pool0 Groupnet: groupnet0 Subnet: subnet1 Name: pool0 Rules: - Access Zone: prod Allocation Method: static Aggregation Mode: lacp Description: Firewall Policy: default_pools_policy Ifaces: 1:10gige-agg-1, 2:10gige-agg-1, 3:10gige-agg-1, 4:10gige-agg-1, 5:10gige-agg-1, 6:10gige-agg-1 IP Ranges: 172.20.15.41-172.20.15.46 IPv6 Perform DAD: No Rebalance Policy: auto SC Failover Policy: round_robin Static Routes: - NFSv3 RDMA RRoCE only: No SC Suspended Nodes: - SC Connect Policy: round_robin SC Zone: igls-original.example.org SC DNS Zone Aliases: igls-prod.example.org SC Subnet: subnet1 SC TTL: 0
检查新的主群集 clusterB 时,您可以找到与缺少的 SPN 匹配的 SmartConnect 池名称。这是辅助群集 clusterA 上的警报中引用的 SPN。
群集名称:clusterB
具有该 SPN + 池名称的生产群集:
clusterB-1# isi auth ads spn list EXAMPLE.ORG | grep -i eyeglasstest SPN ---------------------------------------------------- nfs/eyeglasstest nfs/eyeglasstest.example.org HOST/eyeglasstest HOST/eyeglasstest.example.org
主群集的网络池名称
clusterB-1# isi network pools list -v ID: groupnet0.subnet1.Eyeglass_Pool Groupnet: groupnet0 Subnet: subnet1 Name: Eyeglass_Pool Rules: - Access Zone: EyeglassRunbookRobot Allocation Method: static Aggregation Mode: lacp Description: Used for Eyeglass test failover Firewall Policy: default_pools_policy Ifaces: 1:10gige-agg-1 IP Ranges: 172.29.28.5-172.29.28.5 IPv6 Perform DAD: No Rebalance Policy: auto SC Failover Policy: round_robin Static Routes: - NFSv3 RDMA RRoCE only: No SC Suspended Nodes: - SC Connect Policy: round_robin SC Zone: eyeglasstest.example.org <<<<<<<<<<<<<<<<<<< SC DNS Zone Aliases: igls-robot-rco.example.org SC Subnet: subnet1 SC TTL: 0
Cause
Superna 使用以下命令添加和删除 SPN。它们还指定与 AD 域中的 SPN 关联的计算机帐户。
2025-02-04T09:33:03,953 SSH /172.20.14.37 echo '[REDACTED]' | sudo -S -k -p "" isi auth ads spn delete EXAMPLE.ORG HOST/eyeglasstest.example.org --machine-account clusterA$ 2>&1;echo 0 2025-02-04T09:33:05,568 SSH /172.20.14.37 echo '[REDACTED]' | sudo -S -k -p "" isi auth ads spn delete EXAMPLE.ORG HOST/eyeglasstest --machine-account clusterA$ 2>&1;echo 0 2025-02-04T09:33:07,180 SSH /172.20.14.37 echo '[REDACTED]' | sudo -S -k -p "" isi auth ads spn delete EXAMPLE.ORG nfs/eyeglasstest.example.org --machine-account clusterA$ 2>&1;echo 0
在 OneFS 9.5.1.1 中引入的“isi auth ads spn create/delete”命令中的“--machine-account”选项无法按预期工作。使用设置了标记的命令不会从辅助群集中删除额外的 SPN。
Resolution
解决方法是使用受影响的第二个群集的 CLI 手动删除该群集的 SPN。在执行 Superna 故障切换/故障恢复后,必须在不使用“--machine-account”选项的情况下执行此作。也可以安全地忽略这些消息,因为在没有关联的 SmartConnect 池名称的情况下,辅助群集上不需要缺失的 SPN。
# isi auth ads spn delete <SPN name> --zone=<zone name>
Affected Products
Isilon, PowerScale OneFSProducts
Isilon Gen6.5Article Properties
Article Number: 000285197
Article Type: Solution
Last Modified: 11 Aug 2025
Version: 2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.