When I run the mount command I’m able to connect/ls to the share until, what appears to be the ticket renewal, timing occurs. Then I get host is down.
I have looked through all the suggested similar questions and searched the web. See "a little background below"
I can’t seem to find anything in logs/journals that will tell me what happened or when.
My environments is: AWS Amazon Linux 2 AWS Active Directory with user setup to never expire AWS FSx share On the linux server I have k5start running, an fstab file, a krb5.conf file (see these below)
A little background, I have this working in another environment but can’t see to find out what is different. We hired a consultant to help set this up initially and they are not available to have help.
Our requirements were:
- do not join the linux machine to the AD,
- do not use a plan text file w/ username/password on the machine
- the share is be available to all processes on the machine
- auto-renew permissions/tickets
- auto mount on restart
Our configurations:
============
k5start.service file: [Unit] Description=Kerberos Credential Cache Manager Daemon for FSx Mount After=network.target Before=mnt-fsx.mount
[Service] Type=simple User=ec2-user Group=ec2-user ExecStart=/usr/bin/k5start -aLK 15 -l 1hr -f /etc/myUser.keytab “[email protected]"
[Install] WantedBy=multi-user.target
==========
fstab file: //my.fsx.myAD.aws.msad.com/share /mnt/fsx cifs vers=3.0,cache=none,user=ec2-user,cruid=ec2-user,sec=krb5,uid=1000,gid=1000,ip=myFSxIP
========== keytab file created using:
- ktutil
- addent -password -p [email protected] -k 1 -e RC4-HMAC - enter password for username -
- wkt myUser.keytab
- q
- I then move the file to another location on disk and change permissions to 755
==========
Installing the prereqs: sudo yum -y install sssd realmd krb5-workstation samba-common-tools sudo yum install -y cifs-utils sudo amazon-linux-extras enable epel sudo yum install -y epel-release sudo yum install -y kstart
==========
Installing the service by: sudo systemctl daemon-reload sudo systemctl enable k5start sudo systemctl start k5start sudo systemctl status k5start -l output: k5start.service - Kerberos Credential Cache Manager Daemon for FSx Mount Loaded: loaded (/usr/lib/systemd/system/k5start.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2022-09-12 22:43:52 UTC; 24h ago Main PID: 2990 (k5start) CGroup: /system.slice/k5start.service └─2990 /usr/bin/k5start -a -L -K 15 -l 1h -f /etc/myUser.keytab [email protected]
——————————
Some commands that I’ve run to try and figure things out...
=====
if I run these two commands the mount comes back online but goes away again at interval
- sudo umount -l /mnt/fsx
- sudo mount -a --verbose
=====
dig myAD.AWS.MSAD.COM
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> myAD.AWS.MSAD.COM ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30388 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;myAD.AWS.MSAD.COM. IN A
;; ANSWER SECTION: myAD.AWS.MSAD.COM. 600 IN A 172.31.xxx.xxx myAD.AWS.MSAD.COM. 600 IN A 172.31.xxx.xxx
;; Query time: 0 msec ;; SERVER: 172.31.19.208#53(172.31.19.208) ;; WHEN: Tue Sep 13 23:27:25 UTC 2022 ;; MSG SIZE rcvd: 83
=====
klist Ticket cache: KEYRING:persistent:1000:1000 Default principal: [email protected]
Valid starting Expires Service principal 09/12/2022 22:22:46 09/12/2022 23:22:46 krbtgt/[email protected] renew until 09/19/2022 22:22:46
=======
Thank you for looking!