PowerScale: OneFS: AD Server Missing Needed SPNs Alert for NFS HTTP HDFS
Riepilogo: Administrators may sometimes observe alerts that indicate the Service Principal Names for the NFS, HTTP, or HDFS services are missing.
Questo articolo si applica a
Questo articolo non si applica a
Questo articolo non è legato a un prodotto specifico.
Non tutte le versioni del prodotto sono identificate in questo articolo.
Sintomi
Under certain conditions, an alert for missing SPNs may be generated. SPN checks are typically performed after the following events on the cluster occur:
- Cluster or node rebooted
- CELOG processes and or services are reset
- Periodic CELOG checks through the CELOG monitor
- Addition of a new AD provider
- Network configuration change (if the pool is configured with SmartConnect zone names and aliases)
AD server missing needed SPN(s) HOST/sczone.domain.com, HOST/sczone, nfs/sczone.domain.com, nfs/sczone, hdfs/sczone.domain.com, hdfs/sczone; try 'isi auth ads spn check'
Causa
The CELOG alert system periodically runs a check against each AD provider to verify that SPNs are properly registered, and may report that SPNs are "missing." This also occurs on startup when booting up nodes.
The logic used by the CELOG check is as follows:
The logic used by the CELOG check is as follows:
- For each AD provider, check existing registered SPNs against configured SmartConnect zone names and aliases. If the pool with a SmartConnect zone name configured was modified (for example, including a new alias), then an SPN check against the AD provider would check against the updated information.
- In earlier versions of OneFS, If any NFS export was configured has a 'krb5' security flavor, it would assume that NFS SPNs are needed for each SC zone/alias. As of 8.0.0.5/8.0.1.2/8.1.0.1 and later, NFS is assumed missing by default (if not already registered). The NFS export security flavor checks were removed.
- If HDFS is licensed, OneFS assumes that HDFS SPNs are needed for each SC zone/alias. This is true even if the service itself is not enabled on the cluster.
- HTTP SPN checks are automatically done regardless of cluster configuration as the service is enabled by default. There are no special conditions for an HTTP SPN check.
Note: CELOG and
isi auth ads spn check are mutually exclusive of each other and use different functions or logic in determining missing SPNs. For example, the isi auth ads spn check command has no checks for NFS, HTTP or HDFS-based SPNs. SC zones with no corresponding SPN are assumed missing.
Risoluzione
The alert itself is advisory in nature and applies to one or more AD domains. SPNs are not necessarily required from a OneFS perspective, except for the cluster name itself, which is registered on default. Default SPNs such as those should never be removed. Rather, they are required in order for clients to connect to the cluster using Kerberos authentication through SMB, NFS, or HDFS. Kerberos with SMB are covered under the HOST SPN as CIFS is under the umbrella of the HOST SPN scope.
See the administration guides for your version of OneFS at PowerScale OneFS Info Hubs for instructions on how to manage SPNs from the cluster.
Otherwise, the alert may be ignored if the SPNs are deemed unnecessary, or they can be registered to prevent the alert in the future.
See the administration guides for your version of OneFS at PowerScale OneFS Info Hubs for instructions on how to manage SPNs from the cluster.
Otherwise, the alert may be ignored if the SPNs are deemed unnecessary, or they can be registered to prevent the alert in the future.
Prodotti interessati
PowerScale OneFSProdotti
PowerScale OneFSProprietà dell'articolo
Numero articolo: 000167340
Tipo di articolo: Solution
Ultima modifica: 24 mag 2024
Versione: 5
Trova risposta alle tue domande dagli altri utenti Dell
Support Services
Verifica che il dispositivo sia coperto dai Servizi di supporto.