Access CIFS share with Kerberos fails due to missing spn

• smbclient cannot connect to CIFS share

 user@linux:~$ smbclient -k  //cifsshare.cifs.lab.netapp.com/foldername
 gensec_spnego_client_negTokenInit_step: gse_krb5: creating
 NEG_TOKEN_INIT for cifs/cifsshare.cifs.lab.netapp.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
 session setup failed:NT_STATUS_INVALID_PARAMETER
 user@linux:~$ kvno -S cifs cifsshare.cifs.lab.netapp.com
 kvno: Server not found in Kerberos database while getting credentials for cifs/cifsshare.cifs.lab.netapp.com@cifs.lab.netapp.com

• Windows client can access share on SVM testsvm via UNC \\cifsshare.cifs.lab.netapp.com\foldername but ONTAP indicates NTLMv2 authentication instead of Kerberos

• KDC is discovered and reachable
• DNS is correct via IP and FQDN (nslookup)
• SECD:

debug:  Worker Thread 34507227648 processing RPC 151:secd_rpc_auth_extended with request ID:21167 which sat in the queue for 0 seconds.  { in run() at src/server/secd_rpc_server.cpp:2306 }
debug:  Setting thread context. VServerId = 7 (name='testsvm'), Protocol = CIFS, lifId = 0  { in setThreadContext() at src/utils/secd_thread_data_manager.cpp:415 }
debug:  Setting client info Module = 1  { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:513 }
debug:  Setting client info Op = 0  { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:517 }
debug:  Setting client info OpInstanceId = 197  { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:521 }
debug:  Setting client info Client IP = xxxxxxxxxxxxx  { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:525 }
debug:  secd_rpc_auth_extended_1_svc called with vserver = testsvm { in secd_rpc_auth_extended_1_svc() at src/authentication/secd_rpc_auth.cpp:1219 }
info :  Login attempt by domain user 'pii_encrypt/u/xxxxxxxxxx=/pii_encrypt' using NTLMv2 style security

Or

Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] .------------------------------------------------------------------------------.
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] |                                 RPC SUCCESS:                                 |
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] |                     secd_rpc_auth_extended has succeeded                     |
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] |                          Result = 0, RPC Result = 0                          |
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] |                   RPC received at Fri May 22 09:26:05 2026                   |
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] |------------------------------------------------------------------------------'
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.000.020]  debug:  Worker Thread 34516529920 processing RPC 151:secd_rpc_auth_extended(caller: NBLADE_CIFS) with request ID:10124 which sat in the queue for 0 seconds.  { in run() at src/server/secd_rpc_server.cpp:2461 }
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.000.033]  debug:  Setting thread context. VServerId = 22 (name='testsvm'), Protocol = CIFS, lifId = 0  { in setThreadContext() at src/utils/secd_thread_data_manager.cpp:415 }
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.000.040]  debug:  Setting client info Module = 1  { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:513 }
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.000.044]  debug:  Setting client info Op = 0  { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:517 }
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.000.047]  debug:  Setting client info OpInstanceId = 782764877  { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:521 }
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.000.051]  debug:  Setting client info Client IP = 10.10.10.10  { in setThreadContextClientInfo() at src/utils/secd_thread_data_manager.cpp:525 }
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.000.057]  debug:  secd_rpc_auth_extended_1_svc called with vserver = testsvm  { in secd_rpc_auth_extended_1_svc_secd() at src/authentication/secd_rpc_auth.cpp:1577 }
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.000.911]  info :  [krb5 context 1529B200] Retrieving cifs/cifsshare.cifs.lab.netapp.com@lab.netapp.com from SPINKT:kt:C:22 (vno 3, enctype aes256-cts) with result: 0/Success
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.000.956]  info :  [krb5 context 1529B200] Failed to decrypt AP-REQ ticket: -1765328353/Cannot decrypt ticket for cifs/cifsshare.cifs.lab.netapp.com@lab.netapp.com using keytab key for cifs/cifsshare.cifs.lab.netapp.com@lab.netapp.com
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.001.004]  info :  Error accepting security context for Vserver identifier (22). Decrypt integrity check failed (KRB5KRB_AP_ERR_BAD_INTEGRITY).
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.001.015]  info :  Decrypt integrity check failed (KRB5KRB_AP_ERR_BAD_INTEGRITY)
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.001.415]  debug:  acceptContext return state: 2, output blob length: 146, ntstatus: NT_STATUS_UNSUCCESSFUL(0xc0000001)  { in secd_rpc_auth_extended_1_svc_secd() at src/authentication/secd_rpc_auth.cpp:1618 }
Fri May 22 2026 09:26:05 +09:00 [kern_secd:info:14814] | [000.001.424]  debug:  SecD RPC Server sending reply to RPC 151: secd_rpc_auth_extended  { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:2273 }

• SPN of the SVM's machine account does not list the FQDN used to access the share (cifsshare.cifs.labnetapp.com)

C:\> setspn -Q host/testsvm
Checking domain DC=cifs,DC=lab,DC=netapp,DC=com
CN=10-53-21-46,CN=Computers,DC=cifs,DC=lab,DC=netapp,DC=com
HOST/testsvm
HOST/testsvm.cifs.lab.netapp.com
CIFS/testsvm.cifs.lab.netapp.com