How to Manage Custom None Default SPN's for Failover and Advanced SPN Handling
- Overview
- Unsupported Use of this Feature
- SPN Handling in Eyeglass
- Use Cases:
- How to add support for custom SPN's for auto insertion to AD and Failover
- How to Disable SPN processing during Configuration Sync Jobs
- Other Advanced SPN Handling of validations
Overview
The default SPN used for Kerberos Windows client failover is HOST\ and this is managed for failover by Eyeglass in all releases. New in 2.5.6 or later releases is a the ability to add custom SPN's to be inserted into AD, based on SmartConnect names and alias and managed through failover process. In addition the igls- prefix alias SPN will also be auto inserted to suppress PowerScale alarms about missing SPN's. These SPN's will also be failed over to avoid creating new alarms after a failover.
Unsupported Use of this Feature
SPN Handling in Eyeglass
This table shows each Eyeglass job type or function and how SPN's are managed.
Use Cases:
- Kerberos NFS.
- HADOOP deployments (HDFS\xxxx, WEB\xxxx).
- SMB load balancers that use CIFS\xxxx spn.
- Any other custom requirement .
How to add support for custom SPN's for auto insertion to AD and Failover
- Login to eyeglass as admin user .
- nano /opt/superna/sca/data/system.xml .
- Locate the tag <process> .
- locate the <spnserviceclass> tag and edit it as per below:
- include upper case HOST and then add other spn prefix that are required. NOTE: 8.2 and later Onefs will add nfs,hdfs, http (NOTE Lower case), 2.5.6 can be configured to manage these SPN's as well. Use example below.
- <spnserviceclass>HOST,nfs,hdfs,http</spnserviceclass>
- control + x to save and exit
- sudo -s (enter admin password) .
- systemctl restart sca .
- The above tag will insert nfs hdfs and web spn (with exact case) into AD spn property for ALL SmartConnect names and aliases.
- The new AD validation will validate the new SPN service classes are in AD and raise a warning if they are not present. If AD delegation is done correctly Eyeglass will repair and insert any missing service class SPN's.
- Failover will automatically manage all service class spn's in this tag for failover between clusters.
- Done.
How to Disable SPN processing during Configuration Sync Jobs
This can be disabled when SPN's and AD are not required.
- SSH to eyeglass as admin
- sudo -s (enter admin password)
- nano /opt/superna/sca/data/system.xml
- Inside the <process> tag insert the tag below
- <disablespnaudit>true</disablespnaudit>
- control + x to save
- systemctl restart sca
Other Advanced SPN Handling of validations
The SPN validation in the UI verifies that all SPN's are registered and that SPN delegation has been completed. See the admin guide for more information.