Should SPNs per data SVM be added to the cluster machine account for Kerberos?
Applies to
- ONTAP 9
- Kerberos
- CIFS
- NFS
Answer
No, each storage virtual machine (SVM) must have its own machine account in the Kerberos Realm. Multiple SVMs cannot own the same machine account.
Note: However, outside of this scenario, multiple SPNs can be added to a single machine/computer account
Example:
VMware NFS and Kerberos: Add multiple SPNs matching the FQDN of each NFS LIF for an SVM to be able to target which LIF to mount from and still mount with Kerberos authentication.
Additional Information
- A service principal name (SPN) is a unique identifier of a service instance
- ONTAP Requirements for CIFS Kerberos - NetApp Knowledge Base
- Requirements for configuring Kerberos with NFS
- ONTAP support for Kerberos