Linux mount to FSx using AD user disconnects after interval; initial mount works but message HOST IS DOWN occurs after some time

Question

When I run the mount command I’m able to connect/ls to the share until, what appears to be the ticket renewal, timing occurs. Then I get host is down.

I have looked through all the suggested similar questions and searched the web. See "a little background below"

I can’t seem to find anything in logs/journals that will tell me what happened or when.

My environments is:

• AWS Amazon Linux 2
• AWS Active Directory with user setup to never expire
• AWS FSx share

On the linux server I have k5start running, an fstab file, a krb5.conf file (see these below)

A little background, I have this working in another environment but can’t see to find out what is different. We hired a consultant to help set this up initially and they are not available to have help.

Our requirements were:

1. do not join the linux machine to the AD,
2. do not use a plan text file w/ username/password on the machine
3. the share is be available to all processes on the machine
4. auto-renew permissions/tickets
5. auto mount on restart

Our configurations:

---

k5start.service file:

[Unit]
Description=Kerberos Credential Cache Manager Daemon for FSx Mount
After=network.target
Before=mnt-fsx.mount


[Service]
Type=simple
User=ec2-user
Group=ec2-user
ExecStart=/usr/bin/k5start -aLK 15 -l 1hr -f /etc/myUser.keytab “myUser@myAD.AWS.MSAD.COM"

[Install]
WantedBy=multi-user.target

fstab file:

//my.fsx.myAD.aws.msad.com/share /mnt/fsx cifs vers=3.0,cache=none,user=ec2-user,cruid=ec2-user,sec=krb5,uid=1000,gid=1000,ip=myFSxIP

keytab file created using:

• ktutil
• addent -password -p myUser@myAD.AWS.MSAD.COM -k 1 -e RC4-HMAC 
- enter password for username -
• wkt myUser.keytab
• q
• I then move the file to another location on disk and change permissions to 755

---

Installing the prereqs:

sudo yum -y install sssd realmd krb5-workstation samba-common-tools
sudo yum install -y cifs-utils
sudo amazon-linux-extras enable epel
sudo yum install -y epel-release
sudo yum install -y kstart

==========

Installing the service by:

sudo systemctl daemon-reload
sudo systemctl enable k5start
sudo systemctl start k5start
sudo systemctl status k5start -l

output:

k5start.service - Kerberos Credential Cache Manager Daemon for FSx Mount
   Loaded: loaded (/usr/lib/systemd/system/k5start.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2022-09-12 22:43:52 UTC; 24h ago
 Main PID: 2990 (k5start)
   CGroup: /system.slice/k5start.service
           └─2990 /usr/bin/k5start -a -L -K 15 -l 1h -f /etc/myUser.keytab myUser@myAD.AWS.MSAD.COM

——-

Some commands that I’ve run to try and figure things out...

if I run these two commands the mount comes back online but goes away again at interval

• sudo umount -l /mnt/fsx
• sudo mount -a --verbose

---

dig myAD.AWS.MSAD.COM

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> myAD.AWS.MSAD.COM
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30388
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;myAD.AWS.MSAD.COM.     IN  A

;; ANSWER SECTION:
myAD.AWS.MSAD.COM.  600 IN  A   172.31.xxx.xxx
myAD.AWS.MSAD.COM.  600 IN  A   172.31.xxx.xxx

;; Query time: 0 msec
;; SERVER: 172.31.19.208#53(172.31.19.208)
;; WHEN: Tue Sep 13 23:27:25 UTC 2022
;; MSG SIZE  rcvd: 83

klist

Ticket cache: KEYRING:persistent:1000:1000
Default principal: myUser@myAD.AWS.MSAD.COM

Valid starting       Expires              Service principal
09/12/2022 22:22:46  09/12/2022 23:22:46  krbtgt/myAD.AWS.MSAD.COM@myAD.AWS.MSAD.COM
    renew until 09/19/2022 22:22:46

Thank you for looking!