Hi. I want to config some app (1c enterprise) for authentication via freeipa. This app uses mapping local user usr1cv8 to kerberos user, usr1cv8@KERBEROS.DOMAIN
All manuals - about mapping with Active Directory user. Russian - https://its.1c.ru/db/metod8dev#content:2799:hdoc English - https://1c-dn.com/library/Kerberos_authentification_setup_example_for_Linux_...
What have to I change for freeipa? Can I create service usr1cv8/host@IPA.DOMAIN? Or how can I map local user to ipa user?
On ke, 13 helmi 2019, Николай Савельев via FreeIPA-users wrote:
Hi. I want to config some app (1c enterprise) for authentication via freeipa. This app uses mapping local user usr1cv8 to kerberos user, usr1cv8@KERBEROS.DOMAIN
All manuals - about mapping with Active Directory user. Russian - https://its.1c.ru/db/metod8dev#content:2799:hdoc English - https://1c-dn.com/library/Kerberos_authentification_setup_example_for_Linux_...
What have to I change for freeipa? Can I create service usr1cv8/host@IPA.DOMAIN? Or how can I map local user to ipa user?
You don't need to do anything like that. The documentation 1C provides really boils down to (on the machine where 1C is deployed):
kinit -k ipa service-add usr1cv81/`hostname` ipa-getkeytab -p usr1cv81/`hostname` -k /opt/1C/v8.1/i386/usr1cv81.keytab
That's all. The host/... principal on each enrolled host is allowed to create services on the same host so 'ipa service-add' works just fine. ipa-getkeytab is what asks IPA to create a key for this Kerberos principal and then store it locally in the keytab where 1C expects it to find.
13.02.2019, 14:23, "Alexander Bokovoy" abokovoy@redhat.com:
You don't need to do anything like that. The documentation 1C provides really boils down to (on the machine where 1C is deployed):
kinit -k ipa service-add usr1cv81/`hostname` ipa-getkeytab -p usr1cv81/`hostname` -k /opt/1C/v8.1/i386/usr1cv81.keytab
That's all. The host/... principal on each enrolled host is allowed to create services on the same host so 'ipa service-add' works just fine. ipa-getkeytab is what asks IPA to create a key for this Kerberos principal and then store it locally in the keytab where 1C expects it to find.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Sorry, I used wrong word - create service means service-add, of course. Thank you for answer.
freeipa-users@lists.fedorahosted.org