Share via


Checklist: Deploying Password Synchronization

Applies To: Windows Server 2003 R2

Password Synchronization helps integrate Windows and UNIX networks by simplifying the process of maintaining secure passwords in both environments. With Password Synchronization, you install utilities on your network's UNIX-based computers that detect user password changes on Windows-based computers or domains, then automatically update passwords on every UNIX host on which the users have accounts. You can also configure Password Synchronization to change the user's Windows password when the user's UNIX password is changed.

Notes

You can install Password Synchronization in any of the following three scenarios.

  • You want to synchronize passwords in an NIS domain for which the master server is a Windows-based computer running Server for NIS. See Setting up Password Synchronization for use with an NIS domain (Server for NIS master server) in this topic.

  • You want to synchronize passwords in an NIS domain for which the master server is a UNIX-based NIS server. See Setting up Password Synchronization for use with an NIS domain (UNIX-based master server) in this topic.

  • You want to synchronize passwords for users of standalone UNIX-based hosts who connect to Windows computers. See Setting up Password Synchronization for use with standalone UNIX-based hosts in this topic.

Password Synchronization can be installed only on an Active Directory Domain Services domain controller.

Setting up Password Synchronization for use with an NIS domain (Server for NIS master server)

  Step Reference

Read about Password Synchronization.

Overview of Password Synchronization

Log on as a member of both the Schema Administrators and Enterprise Administrators groups.

 

Install Password Synchronization on all domain controllers.

Install Identity Management for UNIX Components

Set the password encryption key.

Setting the password encryption key

Change other settings, as needed. Be sure to select the UNIX to Windows check box in the Direction of password synchronization area on the General tab of the Password Synchronization Properties dialog box.

Setting default synchronization; Setting computer-specific synchronization properties

Add UNIX-based computers with which passwords will be synchronized if they are not members of the Network Information Service (NIS) domain. For each computer, select the computer in the list, click Properties, clear the Synchronize password changes to this computer check box, select the Synchronize password changes from this computer check box, and then click OK. If you want to use non-default values, you can also specify values for the port number, encryption key, or both.

Adding or removing computers for synchronization

Setting up Password Synchronization for use with an NIS domain (UNIX-based master server)

  Step Reference

Read about Password Synchronization.

Overview of Password Synchronization

Log on as a member of both the Schema Administrators and Enterprise Administrators groups.

 

Install Password Synchronization on the appropriate Windows-based computers. If the passwords of local accounts on a server are to be synchronized, install Password Synchronization on the server. If Windows domain passwords are to be synchronized, install Password Synchronization on all domain controllers.

Install Identity Management for UNIX Components

Set the password encryption key.

Setting the password encryption key

Change other settings, as needed. Be sure to select the UNIX to Windows check box in the Direction of password synchronization area on the General tab of the Password Synchronization Properties dialog box.

Setting default synchronization; Setting computer-specific synchronization properties

Add the Network Information Service (NIS) master server to the list of computers with which the Windows-based computer will synchronize passwords.

Adding or removing computers for synchronization

Add UNIX-based computers with which passwords will be synchronized if they are not members of the Network Information Service (NIS) domain. For each computer, on the General tab of the Add Computer dialog box, clear the Synchronize password changes to this computer check box, select the Synchronize password changes from this computer check box, and then click OK. If you want to use non-default values, you can also specify values for the port number, encryption key, or both.

Adding or removing computers for synchronization

Specify which users have permissions to synchronize passwords.

Controlling password synchronization for user accounts

Ensure that the Password Synchronization configurations on all domain controllers in the domain are identical.

 

Configuring UNIX-based computers to work with Password Synchronization

  Step Reference

Install and configure the Password Synchronization single sign-on daemon (SSOD) on the NIS master server. Be sure to change the default encryption key in the sso.conf file to match the Password Synchronization encryption key set in preceding steps before copying it to the server, and edit sso.conf to specify the following:

  • USE_NIS=1

  • NIS_UPDATE_PATH=Makefile_path, where Makefile_path is the path and name of the NIS makefile, such as /var/yp/Makefile

Install the Password Synchronization daemon on UNIX-based computers

Copy the sso.conf file from the NIS master server to the /etc directory of each computer on which the Password Synchronization PAM module is installed.

 

On each NIS client on which you installed the Password Synchronization pluggable authentication module (PAM), replace the yppasswd binary file with a link to the passwd binary file, and then edit the /etc/nsswitch.conf file to change the passwd and shadow lines of the file, as shown:

passwd:  files [NOTFOUND=continue] nis
shadow:  files [NOTFOUND=continue] nis

Install Identity Management for UNIX Components

Start the Password Synchronization daemon on the NIS master server.

Start or stop Identity Management for UNIX components

Setting up Password Synchronization for use with standalone UNIX-based hosts

  Step Reference

Read about Password Synchronization.

Overview of Password Synchronization

Log on as a member of both the Schema Administrators and Enterprise Administrators groups.

 

Install Password Synchronization on all Windows-based domain controllers. If the passwords of local accounts on a server are to be synchronized, install Password Synchronization on the server. If Windows domain passwords are to be synchronized, install Password Synchronization on all domain controllers.

Install Identity Management for UNIX Components

Set the password encryption key.

Setting the password encryption key

Change other settings, as needed.

Setting default synchronization; Setting computer-specific synchronization properties

Add UNIX-based computers with which passwords will be synchronized if they are not members of the Network Information Service (NIS) domain. For each computer, on the General tab of the Add Computer dialog box, clear the Synchronize password changes to this computer check box, select the Synchronize password changes from this computer check box, and then click OK. If you want to use non-default values, you can also specify values for the port number, encryption key, or both.

Adding or removing computers for synchronization

Ensure that the Password Synchronization configurations on all domain controllers in the domain are identical.

 

Configuring UNIX-based standalone hosts to work with Password Synchronization

  Step Reference

Install and configure the Password Synchronization single sign-on daemon (SSOD) on all UNIX-based computers with which passwords will be synchronized. Be sure to change the default encryption key in the sso.conf file to match the Password Synchronization encryption key set in previous steps before copying it to the UNIX-based computers.

Install the Password Synchronization daemon on UNIX-based computers

Specify which users have permissions to synchronize passwords.

Controlling password synchronization for user accounts

Start the Password Synchronization daemon.

Start or stop Identity Management for UNIX components

Install and configure the Password Synchronization PAM on all UNIX-based computers from which password changes are to be synchronized with Windows passwords.

Install the Password Synchronization pluggable authentication module

Additional references

For more information about Password Synchronization, see: