DR Design Guides

How to Manage Custom None Default SPN's for Failover and Advanced SPN Handling

Home



Overview

The default SPN used for Kerberos Windows client failover is HOST\   and this is managed for failover by Eyeglass in all releases.  New in 2.5.6 or later releases is a the ability to add custom SPN's to be inserted into AD, based on SmartConnect names and alias and managed through failover process.  In addition the igls- prefix alias SPN will also be auto inserted to suppress PowerScale alarms about missing SPN's.  These SPN's will also be failed over to avoid creating new alarms after a failover.

Unsupported Use of this Feature

This feature is only supported for customers that use HDFS hadoop for failover. A known bug in OneFS raises an alarm for missing SPN's for HDFS, NFS and HTTP.  These are used with hadoop deployments and are not required for NFS or SMB failover.    This feature is not supported to suppress these alarms on Isilon.  Dell support should be contacted for procedure to suppress the alarms in Onefs that are incorrectly alarmed, when HDFS protocol is not enabled or licensed on a cluster.


SPN Handling in Eyeglass

This table shows each Eyeglass job type or function and how SPN's are managed.


Readiness Job
(check for SPN errors, no create/delete) - database

Inventory / Configuration Replication
(creates missing SPNs, no delete) - OneFS/isi auth ads spn check

Access Zone/Pool Failover
(deletes and creates SPNs)

Full SPN

Short SPN

Igls-hint-, igls-original- 

Full

Short

Igls-hint-, igls-original- 

Full

Short

igls-original- 

Yes, checks for Full SPN version like HOST/a.b.net.

No, does not check for Short SPN version like HOST/a

No, does not check for missing igls-hint and igls-orignal- in GUI. But raises alarms (can’t find them in Alarm GUI) about them in debug.log. 

Yes, creates for Full SPN version like HOST/a.b.net

No, does not create Short SPN version example HOST/a

Yes, creates all missing igls-hints- example igls-clusterABnet-PROD and igls-original- like /igls-original-a.b.net.

Yes, creates for Full SPN version like HOST/a.b.net for Target cluster.

Also deletes on other Cluster before creating the above

Yes, creates for short SPN version example HOST/a for Target cluster. 

Also deleted on other cluster before creating above

Yes, creates Full  and Short SPN version for Source cluster example HOST/igls-original-a.b.net and HOST/igls-a.

Also deletes on other Cluster before creating the above.

Use Cases:

  1. Kerberos NFS.
  2. HADOOP deployments (HDFS\xxxx,  WEB\xxxx).
  3. SMB load balancers that use CIFS\xxxx spn.
  4. Any other custom requirement .

How to add support for custom SPN's for auto insertion to AD and Failover


To add support for additional none standard SPN's follow these steps:


  1. Login to eyeglass as admin user .
  2. nano /opt/superna/sca/data/system.xml .
  3. Locate the tag <process>  .
  4. locate the <spnserviceclass> tag and edit it as per below: 
    1. include upper case HOST and then add other spn prefix that are required. NOTE: 8.2 and later Onefs will add nfs,hdfs, http (NOTE Lower case), 2.5.6 can be configured to manage these SPN's as well.  Use example below.
  5. <spnserviceclass>HOST,nfs,hdfs,http</spnserviceclass>  
  6. control + x to save and exit
  7. sudo -s (enter admin password) .
  8. systemctl restart sca  .
  9. The above tag will insert nfs hdfs and web spn (with exact case) into AD spn property for ALL SmartConnect names and aliases.
  10. The new AD validation will validate the new SPN service classes are in AD and raise a warning if they are not present.  If AD delegation is done correctly Eyeglass will repair and insert any missing service class SPN's.
  11. Failover will automatically manage all service class spn's in this tag for failover between clusters.
  12. Done.


How to Disable SPN processing during Configuration Sync Jobs

This can be disabled when SPN's and AD are not required.


  1. SSH to eyeglass as admin
  2. sudo -s (enter admin password)
  3. nano /opt/superna/sca/data/system.xml
  4. Inside the <process>  tag insert the tag below
  5. <disablespnaudit>true</disablespnaudit>
  6. control + x to save
  7. systemctl restart sca


Other Advanced SPN Handling of validations

The SPN validation in the UI verifies that all SPN's are registered and that SPN delegation has been completed.  See the admin guide for more information.



© Superna LLC