Loading...
Loading...
After a Superna failover/failback process is done to designate the primary PowerScale cluster, you may see the following errors on the secondary cluster. 2.365102 10/21 09:26 I 0 729106 AD server missing needed SPN(s) HOST/eyeglasstest.example.org, HOST/eyeglasstest, nfs/eyeglasstest.example.org, nfs/eyeglasstest; try 'isi auth ads spn check EXAMPLE.ORG'2.365089 10/21 09:11 I 0 729106 AD server missing needed SPN(s) HOST/eyeglasstest.example.org, HOST/eyeglasstest, nfs/eyeglasstest.example.org, nfs/eyeglasstest; try 'isi auth ads spn check EXAMPLE.ORG' Upon investigation, you may find that the missing SPNs are not the same name as any of the network pool names on the secondary cluster. For example, if PowerScale clusterA shows the missing SPN alerts: CLUSTER NAME: clusterA SPN check reports the missing SPNs: clusterA-1# isi auth ads spn check EXAMPLE.ORG Possible missing SPNs: HOST/eyeglasstest.example.org HOST/eyeglasstest nfs/eyeglasstest.example.org nfs/eyeglasstest Possible extra SPNs: nfs/igls-original-eyeglasstest None of the network pool names match, shown by isi network pools list -v ." The missing SPN and network pool name must be an exact match. Other unrelated, similar names that contain part of the missing SPN do not count. Network pools of clusterA: clusterA-1# isi network pools list -v ID: groupnet0.subnet0.pool0 Groupnet: groupnet0 Subnet: subnet0 Name: pool0 Rules: rule0 Access Zone: System Allocation Method: static Aggregation Mode: lacp Description: Initial 10gige-1 pool Firewall Policy: default_pools_policy Ifaces: 1:10gige-agg-1, 2:10gige-agg-1, 3:10gige-agg-1, 4:10gige-agg-1, 5:10gige-agg-1, 6:10gige-agg-1 IP Ranges: 172.20.14.41-172.20.14.46 IPv6 Perform DAD: No Rebalance Policy: auto SC Failover Policy: round_robin Static Routes: - NFSv3 RDMA RRoCE only: No SC Suspended Nodes: - SC Connect Policy: round_robin SC Zone: d8fs14.example.org SC DNS Zone Aliases: igls-ignore-vlan14.example.org SC Subnet: subnet0 SC TTL: 0 -------------------------------------------------------------------------------- ID: groupnet0.subnet1.Eyeglass_Pool Groupnet: groupnet0 Subnet: subnet1 Name: Eyeglass_Pool Rules: - Access Zone: EyeglassRunbookRobot Allocation Method: static Aggregation Mode: lacp Description: Firewall Policy: default_pools_policy Ifaces: 1:10gige-agg-1 IP Ranges: 172.20.15.6-172.20.15.6 IPv6 Perform DAD: No Rebalance Policy: auto SC Failover Policy: round_robin Static Routes: - NFSv3 RDMA RRoCE only: No SC Suspended Nodes: - SC Connect Policy: round_robin SC Zone: igls-original-eyeglasstest.example.org SC DNS Zone Aliases: igls-robot-oco.example.org SC Subnet: subnet1 SC TTL: 0 -------------------------------------------------------------------------------- ID: groupnet0.subnet1.pool0 Groupnet: groupnet0 Subnet: subnet1 Name: pool0 Rules: - Access Zone: prod Allocation Method: static Aggregation Mode: lacp Description: Firewall Policy: default_pools_policy Ifaces: 1:10gige-agg-1, 2:10gige-agg-1, 3:10gige-agg-1, 4:10gige-agg-1, 5:10gige-agg-1, 6:10gige-agg-1 IP Ranges: 172.20.15.41-172.20.15.46 IPv6 Perform DAD: No Rebalance Policy: auto SC Failover Policy: round_robin Static Routes: - NFSv3 RDMA RRoCE only: No SC Suspended Nodes: - SC Connect Policy: round_robin SC Zone: igls-original.example.org SC DNS Zone Aliases: igls-prod.example.org SC Subnet: subnet1 SC TTL: 0 When checking the new primary cluster, clusterB, you can find the SmartConnect Pool Name that matches the missing SPN. This is the SPN that is referenced in the alert on the secondary cluster, clusterA. CLUSTER NAME: clusterB Production cluster that has that SPN + Pool Name on it: clusterB-1# isi auth ads spn list EXAMPLE.ORG | grep -i eyeglasstest SPN ---------------------------------------------------- nfs/eyeglasstest nfs/eyeglasstest.example.org HOST/eyeglasstest HOST/eyeglasstest.example.org The primary cluster's network pool name clusterB-1# isi network pools list -v ID: groupnet0.subnet1.Eyeglass_Pool Groupnet: groupnet0 Subnet: subnet1 Name: Eyeglass_Pool Rules: - Access Zone: EyeglassRunbookRobot Allocation Method: static Aggregation Mode: lacp Description: Used for Eyeglass test failover Firewall Policy: default_pools_policy Ifaces: 1:10gige-agg-1 IP Ranges: 172.29.28.5-172.29.28.5 IPv6 Perform DAD: No Rebalance Policy: auto SC Failover Policy: round_robin Static Routes: - NFSv3 RDMA RRoCE only: No SC Suspended Nodes: - SC Connect Policy: round_robin SC Zone: eyeglasstest.example.org <<<<<<<<<<<<<<<<<<< SC DNS Zone Aliases: igls-robot-rco.example.org SC Subnet: subnet1 SC TTL: 0
Superna uses the following command to add and remove SPNs. They also specify the machine account associated with the SPN in the AD domain. 2025-02-04T09:33:03,953 SSH /172.20.14.37 echo '[REDACTED]' | sudo -S -k -p "" isi auth ads spn delete EXAMPLE.ORG HOST/eyeglasstest.example.org --machine-account clusterA$ 2>&1;echo 02025-02-04T09:33:05,568 SSH /172.20.14.37 echo '[REDACTED]' | sudo -S -k -p "" isi auth ads spn delete EXAMPLE.ORG HOST/eyeglasstest --machine-account clusterA$ 2>&1;echo 02025-02-04T09:33:07,180 SSH /172.20.14.37 echo '[REDACTED]' | sudo -S -k -p "" isi auth ads spn delete EXAMPLE.ORG nfs/eyeglasstest.example.org --machine-account clusterA$ 2>&1;echo 0 Introduced in OneFS 9.5.1.1, the --machine-account option from the isi auth ads spn create/delete command is not working as intended. A command with the flag set does not remove the extra SPNs from the secondary cluster when used.
The workaround is to manually delete the SPNs from the second cluster that is affected using that cluster's CLI. This must be done without the --machine-account ; option after Superna Failover/failback. The messages can also be safely ignored, as there is no need for the missing SPN on the secondary cluster without an associated SmartConnect Pool Name. # isi auth ads spn delete <SPN name> --provider-name=<provider name>
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.