setting up domain authorization from different domains

In connection with the events in the world, the idea of ​​​​transferring all servers to linux appeared, and as the name says, authorization of many users from different domains, I will say right away that the domains are not in the forest and at different sites.

I take as a basis:

srv-1cserver – target server 1c of the enterprise.
domain.loc – 1 domain.
master.loc – 2nd domain.
office.loc – 3rd domain.

At this stage, we will assume that we already have a functioning server on our Debian and there are a couple of databases there.

Kerberos authentication

On each server, you need to create a user with which requests to the 1s server will be associated.

For simplicity, we will use the user in Windows usr1cv8 in Debian usr1cv8 .
When creating a user, be sure to uncheck the box “Use DES encryption types with this account”.

Let’s make a .keytab secret key for this user using the ktpass utility.

C:\>ktpass -princ usr1cv8/srv-1cserver.domain.ru@domain.loc -mapuser usr1cv8 -pass XxXxXx -out usr1cv8.keytab

After that, we will have the usr1cv8.keytab file in the root of the C:\ drive, and now the usr1cv8/srv-1cserver.domain.ru@domain.loc service is associated with the usr1cv8 user.

We will do this procedure on all Windows servers and place the generated files in convenient folders on Debian for us.

Further actions are also quite simple, let’s run the ktutil utility on Debian.

And let’s do the following:

root@srv-1cserver:~# ktutil
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
Читаем кейтаб
ktutil:  rkt /opt/1cv8/x86_64/8.3.21.1393/keytab_domain.loc/usr1cv8.keytab
смотрим
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1            HTTP/srv-1cserver.domain.ru@DOMAIN.LOC
читаем второй кейтаб
ktutil:  rkt /opt/1cv8/x86_64/8.3.21.1393/keytab_master.loc/usr1cv8.keytab
смотрим
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1            HTTP/srv-1cserver.domain.ru@DOMAIN.LOC
   2    1            HTTP/srv-1cserver.domain.ru@MASTER.LOC
читаем третий кейтаб
ktutil:  rkt /opt/1cv8/x86_64/8.3.21.1393/keytab_office.loc/usr1cv8.keytab
смотрим
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    1            HTTP/srv-1cserver.domain.ru@DOMAIN.LOC
   2    1            HTTP/srv-1cserver.domain.ru@MASTER.LOC
   3    1            HTTP/srv-1cserver.domain.ru@OFFICE.LOC
Добавилось, т.е. успешно объединили три keytab

Записываем
ktutil:  wkt /etc/krb5.keytab

After that, we restart the 1s server and you can go into the thin client and register the settings for the user.

To do this, go to “Administration”select from the list on the left “Users”.
In user properties select “Operating System Authentication” and in the field “User” write \\MASTER.LOC\e.ivanov
In 1s, the domain must be written in capital letters.

We will perform this action on the necessary servers, and at this stage, authorization from various servers will work.

86

Similar Posts

Leave a Reply