SUMMARY

Password synchronization provides one-way (Windows-to-UNIX) and two-way password synchronization between Windows domains and Network Information Service (NIS) domains. The master server of the NIS domain can be running on UNIX or on Windows (Server for NIS).

Windows Services for UNIX provides precompiled binaries to support password synchronization on supported UNIX and Linux hosts. The following list describes supported hosts for Windows Services for UNIX 3.0:

• HP-UX 11
• Sun Solaris (sparc) 7.0, 8
• IBM AIX 4.3.3
• Red Hat Linux 7.0

Installing password synchronization SSOD on a UNIX host

Password Synchronization Single Sign On Daemon (SSOD) is used to support Windows to UNIX password synchronization. To install Password Synchronization SSOD, copy the precompiled binary that is appropriate to the UNIX or Linux host to the UNIX or Linux server, copy the sample configuration file, and then modify it as appropriate.

To install Password Synchronization SSOD on a UNIX or Linux host:

1. Copy the appropriate SSOD binary file from the Windows Services for UNIX 3.0 CD to your UNIX or Linux host. You must use a binary file copy method to, such as Transfer Protocol (FTP) in binary mode, to ensure that you don't corrupt the file. You may also be able to mount the CD directly on your UNIX or Linux host.
   
   The source files are located in the unix\bins folder of the Windows Services for UNIX 3.0 CD. Microsoft recommends that you use either usr/local/bin or usr/bin as the destination location. The following list describes the correct file names for each type of host:
   • HP-UX 11: Ssod.h11
   • Solaris 7: Ssod.so7
   • IBM AIX 4.3.3: Ssod.a42
   • Red Hat Linux 7: S ssod.l52
2. Log on to the UNIX host as a root.
3. Rename the file to Ssod.
4. Use a binary file copy method such as FTP to copy the unix\bins\Sso.cfg file from the Windows Services for UNIX 3.0 CD to etc/sso.conf.
5. Use a UNIX text editor to edit etc/sso.conf to use the appropriate encryption key, port number, and other settings, as below Edit the ENCRYPT_KEY line to specify the default key. This value must match the default key specified on all domain controllers with which this computer will synchronize passwords:

   ENCRYPT_KEY=encryptionKey

   Edit the PORT_NUMBER line to specify the port. This value must match the port number specified on all domain controllers with which this computer will synchronize passwords.

   PORT_NUMBER=portNumber

   Edit the SYNC_HOSTS line to specify the domain controller in each Windows domain with which the computer is to synchronize passwords. If you are using a non-default port number or encryption key, specify that value where indicated; otherwise, leave the value blank:

   SYNC_HOSTS=(domainController[, portNumber [, encryptionKey]]) ...

   Each entry in the list must be enclosed by parentheses (the "(" and ")" characters) and separated from the next entry by a blank space.
   
   If the computer is a Network Information Service (NIS) or NIS+ master server, and if you want passwords to be synchronized throughout the NIS domain, edit the USE_NIS line as shown to enable NIS synchronization:

   USE_NIS=1

   Also, if required, edit the NIS_UPDATE_PATH line to specify the location of the NIS makefile:

   NIS_UPDATE_PATH=makefilePath

6. Start SSOD.
   
   If you want this daemon to start automatically when you start the computer, add the daemon to the appropriate file for your version of UNIX or Linux (for example, etc/rc.local).
   
   Note The etc/sso.conf file contains sensitive information, including encryption keys. Set the permissions appropriately so that only administrators have access to this file.

Installing PAM on a UNIX host

Pluggable Authentication Module (PAM) is used to support UNIX to Windows password synchronization. PAM is supported on HP-UX 11, Solaris 7, and Red Hat Linux 6.2 and 7.

Installing PAM on HP-UX 11

1. Copy the unix\bins\pam_sso.h11 file that is located on the Windows Services for UNIX CD to usr/lib/security on the HP-UX 11 host.
2. Log on to the UNIX host as a root.
3. Change the file name of usr/lib/security/pam_sso.h11 to pam_sso.hp.1.
4. Change the file permissions to 544, and then change the owner to Root.
   
   From the UNIX prompt:
   

   chown root:sys pam_sso.hp.1
   chmod 544 pam_sso.hp.1

5. Use a UNIX text editor to open the etc/pam.conf file, and then add the following line after the "Password management" line:

   other password required /usr/lib/security/pam_sso.hp.1

6. Save the file, and then close it.

Installing PAM on Red Hat Linux 7

1. Copy the unix\bins\pam_sso.l52 file on the Windows Services for UNIX CD to Usr/Lib/Security on the Linux host.
2. Log on to the Linux host as a root.
3. Change the name of the usr/lib/security/pam_sso.l52 file to pam_sso.so.1
4. Use a UNIX text editor to open the etc/pam.d/system-auth file, and then locate the following line:

   password required /lib/security/pam_cracklib.so retry=3

5. After the line that you located in step 4, add the following line:

   password required /usr/lib/security/pam_sso.so.1

6. Locate and then delete the following line:

   password required /usr/lib/security/pam_deny.so

7. Save the file, and then close it.

Installing PAM on Solaris 7

1. Copy the unix\bins\pam_sso.so7 file on the Windows Services for UNIX CD to usr/lib/security on the Solaris 7 host.
2. Log on to the UNIX host as a root.
3. Change the usr/lib/security/pam_sso.so7 file name to pam_sso.so.1.
4. Change the file permissions to 544, and then change the owner to Root.
5. Use a UNIX text editor to open the etc/pam.conf file, and then add the following line after the "Password management" line:

   other password required /usr/lib/security/pam_sso.so.1

6. Save the file, and then close it.

Troubleshooting

• Because yppasswd on Solaris does not support the use of PAM, password synchronization from a Solaris 7 Network Information Service (NIS) domain that uses yppasswd is not supported. If yppasswd is used, the Windows password is not updated.
  
  However, you can work around this limitation by replacing the yppasswd file on your Solaris server with a link to the passwd binary file, and then edit /etc/nsswitch.conf to replace the passwd and shadow lines to read:

  passwd: files [NOTFOUND=continue] nis

  shadow: files [NOTFOUND=continue] nis

• Regardless of the UNIX or Linux host on which you are installing PAM, the procedure that is described in this article assumes PAM support is already installed and configured correctly on the computer.
• If problems are encountered, carefully examine the Windows event logs on the target domain controller and the syslog files on the UNIX/Linux host (/usr/adm/syslog)