When I run the mount command I’m able to connect/ls to the share until, what appears to be the ticket renewal, timing occurs. Then I get host is down.
I have looked through all the suggested similar questions and searched the web. See “a little background below”
I can’t seem to find anything in logs/journals that will tell me what happened or when.
My environments is:
AWS Amazon Linux 2
AWS Active Directory with user setup to never expire
AWS FSx share
On the linux server I have k5start running, an fstab file, a krb5.conf file (see these below)
A little background, I have this working in another environment but can’t see to find out what is different. We hired a consultant to help set this up initially and they are not available to have help.
Our requirements were:
- do not join the linux machine to the AD,
- do not use a plan text file w/ username/password on the machine
- the share is be available to all processes on the machine
- auto-renew permissions/tickets
- auto mount on restart
Our configurations:
============
k5start.service file:
[Unit]
Description=Kerberos Credential Cache Manager Daemon for FSx Mount
After=network.target
Before=mnt-fsx.mount
[Service]
Type=simple
User=ec2-user
Group=ec2-user
ExecStart=/usr/bin/k5start -aLK 15 -l 1hr -f /etc/myUser.keytab “myUser@myAD.AWS.MSAD.COM”
[Install]
WantedBy=multi-user.target
==========
fstab file:
//my.fsx.myAD.aws.msad.com/share /mnt/fsx cifs vers=3.0,cache=none,user=ec2-user,cruid=ec2-user,sec=krb5,uid=1000,gid=1000,ip=myFSxIP
==========
keytab file created using:
- ktutil
- addent -password -p myUser@myAD.AWS.MSAD.COM -k 1 -e RC4-HMAC - enter password for username –
- wkt myUser.keytab
- q
- I then move the file to another location on disk and change permissions to 755
==========
Installing the prereqs:
sudo yum -y install sssd realmd krb5-workstation samba-common-tools
sudo yum install -y cifs-utils
sudo amazon-linux-extras enable epel
sudo yum install -y epel-release
sudo yum install -y kstart
==========
Installing the service by:
sudo systemctl daemon-reload
sudo systemctl enable k5start
sudo systemctl start k5start
sudo systemctl status k5start -l
output:
k5start.service – Kerberos Credential Cache Manager Daemon for FSx Mount
Loaded: loaded (/usr/lib/systemd/system/k5start.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2022-09-12 22:43:52 UTC; 24h ago
Main PID: 2990 (k5start)
CGroup: /system.slice/k5start.service
└─2990 /usr/bin/k5start -a -L -K 15 -l 1h -f /etc/myUser.keytab myUser@myAD.AWS.MSAD.COM
——————————
Some commands that I’ve run to try and figure things out…
=====
if I run these two commands the mount comes back online but goes away again at interval
- sudo umount -l /mnt/fsx
- sudo mount -a –verbose
=====
dig myAD.AWS.MSAD.COM
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> myAD.AWS.MSAD.COM
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30388
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;myAD.AWS.MSAD.COM. IN A
;; ANSWER SECTION:
myAD.AWS.MSAD.COM. 600 IN A 172.31.xxx.xxx
myAD.AWS.MSAD.COM. 600 IN A 172.31.xxx.xxx
;; Query time: 0 msec
;; SERVER: 172.31.19.208#53(172.31.19.208)
;; WHEN: Tue Sep 13 23:27:25 UTC 2022
;; MSG SIZE rcvd: 83
=====
klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: myUser@myAD.AWS.MSAD.COM
Valid starting Expires Service principal
09/12/2022 22:22:46 09/12/2022 23:22:46 krbtgt/myAD.AWS.MSAD.COM@myAD.AWS.MSAD.COM
renew until 09/19/2022 22:22:46
=======
Thank you for looking!
