In Access 8.2 and later, a service principal name (SPN) must be configured in Windows to access a CIFS network share
Description
In Access 8.2 and later, a service principal name (SPN) must be configured in Windows to access a CIFS network share.
The SPN is a unique identifier of a service instance. Access uses Kerberos authentication to associate the Access virtual IP and matching fully qualified domain name to a service instance, such as CIFS.
https://learn.microsoft.com/en-us/windows/win32/ad/service-principal-names
To configure a SPN, we need mappings of the virtual IP/FQDNs on the Access Appliance cluster. Each virtual IP must have a fully qualified domain name configured with DNS.
Access Management CLISH> network ip addr show
IP Netmask/Prefix Device Node Type Status FQDNs
-- -------------- ------ ---- ---- ------ -----
192.168.10.130 255.255.255.0 eth4 va830a-01 Physical
192.168.10.132 255.255.255.0 eth5 va830a-01 Physical
192.168.10.120 255.255.255.0 eth1 va830a-01 Physical
192.168.10.131 255.255.255.0 eth4 va830a-02 Physical
192.168.10.133 255.255.255.0 eth5 va830a-02 Physical
192.168.10.121 255.255.255.0 eth1 va830a-02 Physical
192.168.10.124 255.255.255.0 eth1 va830a-02 Virtual ONLINE (Con IP)
192.168.10.140 255.255.255.0 eth4 va830a-01 Virtual ONLINE (Dedupe IP)
192.168.10.141 255.255.255.0 eth4 va830a-02 Virtual ONLINE (Dedupe IP)
192.168.10.142 255.255.255.0 eth5 va830a-02 Virtual ONLINE (CIFS IP)
192.168.10.143 255.255.255.0 eth5 va830a-01 Virtual ONLINE (CIFS IP)
192.168.10.144 255.255.255.0 eth4 va830a-01 Virtual ONLINE (Dedupe IP)
Each IP that shows "Virtual" in the Type column should have a relevant DNS entry configured. The FQDNs field may be blank from Access, but each one of the virtual IPs should be resolvable via DNS/nslookup:
Example (Window CMD)
C:\Users\Administrator>nslookup 192.168.10.140Server: localhost
Address: 127.0.0.1
Name: va830a-vip1.vtas.local
Address: 192.168.10.140
C:\Users\Administrator>nslookup 192.168.10.141Server: localhost
Address: 127.0.0.1
Name: va830a-vip2.vtas.local
Address: 192.168.10.141
It is necessary to add a CIFS SPN for each virtual IP that may be used to host a CIFS share. Attempting to connect to the CIFS share without a SPN defined will result in a failed connection to the share.
Veritas Access Appliance 8.2 Administrator's Guide - About Managing CIFS Shares
In a DNS-enabled environment, the SPN must be set on the AD server (domain controller).
In a non-DNS enabled environment, each Windows client that is accessing the shares must define a local hosts entry for the FQDN and set a SPN entry per client.
You can add a SPN using the following syntax:
Windows CMD> setspn -T <Domain Workgroup> -s cifs/<Fully Qualified Domain Name> <Access virtual clustername>
ex.
C:\Users\Administrator>setspn -T VTAS -s cifs/va830a-vip3.vtas.local va830a
You can find the workgroup name using the following Windows CMD command on the Windows client/server:
CMD> net config workstation
ex.
C:\Users\Administrator>net config workstationComputer name \\DC1
Full Computer name dc1.vtas.local
User name Administrator
...
Workstation domain VTAS <<<
Workstation Domain DNS Name vtas.local
Logon domain VTAS
The Access virtual clustername is the netbios name shown in the output of "network ad show" from the CLISH:
va830a> network ad showName Value
================= =============
Domain VTAS.LOCAL
netbios name va830a
workgroup VTAS
Domain Controller 192.168.10.10
Domain user Administrator
Status Enabled
You can determine which IP/FQDN is being used for a CIFS share by listing the share details in the CLISH:
va830a> cifs share showShareName FileSystem ShareOptions
=========== ========== =======================================================================================================
stripeshare stripevol owner=root,group=root,fs_mode=1777,rw,allow=VTAS\danny
guishare guifs owner=root,group=root,fs_mode=1777,create_mask=775,allow=VTAS\Administrator,dir_mask=775,rw,no_full_acl
va830a> cifs share show guishareShareName VIP Address
========= ======================
guishare va830a-vip3.vtas.local
ShareName va830a-01 va830a-02
========= ========= =========
guishare ONLINE ONLINE
For a Windows client to access \\va830a-vip3.vtas.local\guishare, this client must define the SPN:
CMD> setspn -T VTAS -s cifs/va830a-vip3.vtas.local va830a
Note: Aliases can be configured in DNS, but an additional SPN must be defined to connect to a share via that alias:
IP: 192.168.10.142
FQDN: va830a-vip3.vtas.local
DNS alias: alias1.vtas.local
C:\Users\Administrator> ping va830a-vip3.vtas.local -n 1
Pinging va830a-vip3.vtas.local [192.168.10.142] with 32 bytes of data:
Reply from 192.168.10.142: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.10.142:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Users\Administrator> ping alias1.vtas.local -n 1
Pinging va830a-vip3.vtas.local [192.168.10.142] with 32 bytes of data:
Reply from 192.168.10.142: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.10.142:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Listing the currently defined SPNs:
C:\Users\Administrator>setspn -l va830aRegistered ServicePrincipalNames for CN=VA830A,CN=Computers,DC=vtas,DC=local:
cifs/va830a-vip3.vtas.local
cifs/va830a-vip2.vtas.local
cifs/va830a-vip1.vtas.local
cifs/va830a-vip4.vtas.local
RestrictedKrbHost/VA830A
HOST/VA830A
RestrictedKrbHost/VA830A.vtas.local
HOST/VA830A.vtas.local
Trying to map a share using the alias before defining a SPN for the alias:
C:\Users\Administrator>net use * "\\alias1.vtas.local\guishare"Enter the user name for 'alias1.vtas.local': Administrator
Enter the password for alias1.vtas.local:
System error 86 has occurred.
The specified network password is not correct.
Adding alias as SPN:
C:\Users\Administrator>setspn -T VTAS -s cifs/alias1.vtas.local va830aChecking domain DC=vtas,DC=local
Registering ServicePrincipalNames for CN=VA830A,CN=Computers,DC=vtas,DC=local
cifs/alias1.vtas.local
Updated object
Now mapping the share via CMD works:
C:\Users\Administrator>net use * "\\alias1.vtas.local\guishare"Drive Z: is now connected to \\alias1.vtas.local\guishare.
The command completed successfully.
Note: Windows may cache credentials in open Windows Explorer or CMD windows. Please close all Explorer/cmd windows if the credentials are being accepted or rejected in an inconsistent manner.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.