Understanding Password Synchronization
Updated: August 22, 2005
Applies To: Windows Server 2003 R2
Understanding Password Synchronization
Password Synchronization helps integrate Windows and UNIX networks by simplifying the process of maintaining secure passwords in both environments. Users are freed of the difficulty of maintaining separate passwords for their Windows and UNIX accounts or having to remember to change the password wherever it is used. With Password Synchronization, whenever a user's password is changed on a Windows-based computer or domain, the password can also be automatically changed on every UNIX host for which the user has an account. Password Synchronization can also be configured to change the user's Windows password when the user's UNIX password is changed.
This makes it possible to administer passwords from a single computer, which simplifies things for administrators as well as individual users. Password Synchronization is also flexible: administrators can exclude specific users and systems from being synchronized. Password Synchronization can synchronize passwords on stand-alone Windows-based computers (such as computers running Windows 2000 Server that do not belong to a domain) or for an entire Windows domain. Similarly, Password Synchronization can be used to manage passwords on individual UNIX hosts or on all computers in a Network Information Service (NIS) domain.
Password Synchronization propagates passwords securely by transmitting only encrypted passwords over TCP/IP sockets. This eliminates the need to use nonsecure methods (such as scripts) to administer passwords remotely. Passwords are also synchronized immediately. This means that, unlike methods such as rdist, which batches the password propagation, there is no appreciable delay between the time that a password is changed on one system and when it is changed on all other affected systems. This eliminates confusion and frustration for active users. Even more important, perhaps, it eliminates a potential security risk if a password needs to be changed to block a user's access to the network. To enhance network security even further, different encryption keys can be used for each Windows-based computer/UNIX host pair.
Password Synchronization is a combination of three software components:
The Password Synchronization service running on one or more Windows-based computers
The Password Synchronization daemon running on one or more UNIX computers
The Password Synchronization pluggable authentication module (PAM) installed on one or more UNIX computers.
When Password Synchronization is configured for Windows-to-UNIX synchronization and a password is changed on a Windows-based computer running Password Synchronization, the Password Synchronization service determines whether the user's password is to be synchronized on UNIX computers. If it is, the service encrypts the password and sends it to the Password Synchronization daemon on each computer with which the Windows-based computer is configured to be synchronized. The daemon then decrypts the password and changes the password on the UNIX host. If the UNIX host is an NIS master server and it is configured to do so, the daemon also runs make to propagate the password change throughout the NIS domain.
When Password Synchronization is configured for UNIX-to-WINDOWS synchronization, passwords that are changed on UNIX hosts are synchronized on Windows-based computers and domains. The Password Synchronization PAM module makes this possible by intercepting the password change request on the UNIX host, encrypting the password, and then sending the password change request to the Password Synchronization service running on the Windows-based computers with which it is configured to be synchronized.
For information about implementing Password Synchronization, see Implementing Password Synchronization.