PowerScale: OneFS: AD Server Missing Needed SPNs Alert for NFS HTTP HDFS
概要: Administrators may sometimes observe alerts that indicate the Service Principal Names for the NFS, HTTP, or HDFS services are missing.
この記事は次に適用されます:
この記事は次には適用されません:
この記事は、特定の製品に関連付けられていません。
すべての製品パージョンがこの記事に記載されているわけではありません。
現象
Under certain conditions, an alert for missing SPNs may be generated. SPN checks are typically performed after the following events on the cluster occur:
- Cluster or node rebooted
- CELOG processes and or services are reset
- Periodic CELOG checks through the CELOG monitor
- Addition of a new AD provider
- Network configuration change (if the pool is configured with SmartConnect zone names and aliases)
AD server missing needed SPN(s) HOST/sczone.domain.com, HOST/sczone, nfs/sczone.domain.com, nfs/sczone, hdfs/sczone.domain.com, hdfs/sczone; try 'isi auth ads spn check'
原因
The CELOG alert system periodically runs a check against each AD provider to verify that SPNs are properly registered, and may report that SPNs are "missing." This also occurs on startup when booting up nodes.
The logic used by the CELOG check is as follows:
The logic used by the CELOG check is as follows:
- For each AD provider, check existing registered SPNs against configured SmartConnect zone names and aliases. If the pool with a SmartConnect zone name configured was modified (for example, including a new alias), then an SPN check against the AD provider would check against the updated information.
- In earlier versions of OneFS, If any NFS export was configured has a 'krb5' security flavor, it would assume that NFS SPNs are needed for each SC zone/alias. As of 8.0.0.5/8.0.1.2/8.1.0.1 and later, NFS is assumed missing by default (if not already registered). The NFS export security flavor checks were removed.
- If HDFS is licensed, OneFS assumes that HDFS SPNs are needed for each SC zone/alias. This is true even if the service itself is not enabled on the cluster.
- HTTP SPN checks are automatically done regardless of cluster configuration as the service is enabled by default. There are no special conditions for an HTTP SPN check.
Note: CELOG and
isi auth ads spn check are mutually exclusive of each other and use different functions or logic in determining missing SPNs. For example, the isi auth ads spn check command has no checks for NFS, HTTP or HDFS-based SPNs. SC zones with no corresponding SPN are assumed missing.
解決方法
The alert itself is advisory in nature and applies to one or more AD domains. SPNs are not necessarily required from a OneFS perspective, except for the cluster name itself, which is registered on default. Default SPNs such as those should never be removed. Rather, they are required in order for clients to connect to the cluster using Kerberos authentication through SMB, NFS, or HDFS. Kerberos with SMB are covered under the HOST SPN as CIFS is under the umbrella of the HOST SPN scope.
See the administration guides for your version of OneFS at PowerScale OneFS Info Hubs for instructions on how to manage SPNs from the cluster.
Otherwise, the alert may be ignored if the SPNs are deemed unnecessary, or they can be registered to prevent the alert in the future.
See the administration guides for your version of OneFS at PowerScale OneFS Info Hubs for instructions on how to manage SPNs from the cluster.
Otherwise, the alert may be ignored if the SPNs are deemed unnecessary, or they can be registered to prevent the alert in the future.
対象製品
PowerScale OneFS製品
PowerScale OneFS文書のプロパティ
文書番号: 000167340
文書の種類: Solution
最終更新: 24 5月 2024
バージョン: 5
質問に対する他のDellユーザーからの回答を見つける
サポート サービス
お使いのデバイスがサポート サービスの対象かどうかを確認してください。