I'm trying to set up Winbind with PAM and Kerberos to authenticate CentOS 7 against active directory.
So far this is what I've done:
yum -y install authconfig krb5-workstation pam_krb5 samba-common oddjob-mkhomedir
yum -y install samba-winbind-modules
authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup={DOMAIN-NETBIOSNAME} --smbrealm={My.DOMAINCOM} --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/{my.domain.com}/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm={MY.DOMAIN.COM} --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall
kinit -v my.username
I receive the below error message when I attempt to get a kerberos ticket:
kinit: Credentials cache file '/tmp/krb5cc_0' not found while validating credential
So I tried
touch /tmp/krb5cc_0 && chmod 777 /tmp/krb5cc_0 && kinit -v my.username
The resulting error is:
kinit: Bad format in credentials cache while validating credentials
I've also tried creating a local user with the same name as the AD user I'm trying to authenticate as with the same result. Below is the sanitized output of /etc/krb5.conf.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = {MY.DOMAIN.COM}
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
dns_lookup_kdc = true
[realms]
MY.DOMAIN.COM = {
kdc = mypdc.my.domain.com
admin_server = mypdc.my.domain.com
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
{my.domain.com} = {MY.DOMAIN.COM}
.{my.domain.com} = {MY.DOMAIN.COM}
What am I doing wrong? Is the ccache file supposed to be automatically generated per-user? The [libdefaults] section of the krb5.conf file was orginally using the kernel keyring with the same initial error, so I tried to use a file path thinking it would be easier.
