Enabling kerberos on an interface | NetApp | Page 1

sand brook Apr 18, 2023, 2:53 PM

#

I am using na_ontap_kerberos_realm to configure a Kerberos realm in my simulator VM that runs Ontap 9.12.1, however I did not find any module to enable it on an interface. I have to run this through the cli:
vserver nfs kerberos interface modify -vserver vs -lif lif1.0 -kerberos enabled -spn nfs/nfs.example.test@EXAMPLE.TEST -admin-username nfs/service
Does anyone know if there is an Ansible module for this already? Thanks

finite fable Apr 18, 2023, 10:20 PM

#

Currently we don't have a module for that. you'll need to use the https://docs.ansible.com/ansible/devel/collections/netapp/ontap/na_ontap_rest_cli_module.html#ansible-collections-netapp-ontap-na-ontap-rest-cli-module module for now to do this. I"ll add a story to our backlog to add kerberos interface module

sand brook Apr 19, 2023, 6:49 AM

#

Awesome! thank you

sand brook Apr 19, 2023, 7:09 AM

#

also through the cli there are 2 ways to enable the interface, one is to pull a keytab (through a keytab-uri, but then we need a way to serve that file securely), one is to give credentials for an admin principal (I don't think we want this in the general case). The ideal way could be to push a keytab from the ansible script but I don't think there is anything supporting this. I am not familiar with kerberos, so if the story could also add an example of usage that would be great. Thanks again!

solar lintel Apr 24, 2023, 2:07 AM

#

hi @sand brook , small query
can we modify spn if kerberos interface already enabled in cli?

sand brook Apr 25, 2023, 11:30 AM

#

in the cli you need to first disable the interface (if the keytab was misconfigured, you need to first enable diag privileges, then use the force parameter) before being able to modify the kerberos configuration

solar lintel Apr 28, 2023, 11:17 AM

#

thanks frigo, what if want to use a different spn on an already enabled kerberos interface.
for this too disable and enable?
https://docs.netapp.com/us-en/ontap-cli-9121//vserver-nfs-kerberos-interface-modify.html#parameters

vserver nfs kerberos interface modify -vserver vs0 -lif datalif1 -spn nfs/sec.example.com@AUTH.SEC.EXAMPLE.COM -keytab-uri ftp://ftp.example.com/keytab

can I leave out -kerberos enabled since its already enabled and modify only spn?

sand brook May 6, 2023, 8:48 AM

#

in my tests I always had to first disable it (possibly forcing it). Do you have a way to try it yourself? Unfortunately I won't be very available these days

solar lintel May 7, 2023, 3:07 AM

#

the new module na_ontap_kerberos_interface added in latest collection version, try it out and let us know if any issues

sand brook May 7, 2023, 12:28 PM

#

nice! it works! thanks a lot! I also see there were some commits for the issues I opened on Github like #153 , that's very cool.

sand brook May 7, 2023, 1:01 PM

#

I believe nonetheless the interface is a bit weird (having to use an admin account, or to expose a keytab so that it can get pulled by the command). Would it be possible to have an option to provide the keytab directly? I am building a lab and I am not using active directory. Maybe most deployments use active directory and do not have to use these options at all, so I am the only one noticing.

#Enabling kerberos on an interface