Implementing Password Synchronization
Applies To: Windows Server 2003 R2
Implementing Password Synchronization
Password Synchronization changes a user's UNIX password whenever the user's password is changed on a Windows-based computer or domain. In addition, Password Synchronization and the affected UNIX hosts can be configured to change the user's Windows password whenever the UNIX password is changed.
Two-way password synchronization is supported on UNIX computers running any of the following operating systems:
Hewlett-Packard HP-UX version 11i, 32-bit environment
IBM AIX version 5L 5.2, 32-bit environment
Red Hat Linux versions 8 and 9, 32-bit environment
Sun Solaris version 8 running on x86-based computers and Scalable Processor Architecture (SPARC)–based computers, and Solaris version 9 running on SPARC–based computers. The 32-bit environment has been tested on SPARC-based computers.
For more information about how Password Synchronization works on Windows and UNIX computers, see Understanding Password Synchronization.
The remainder of this topic provides information about how to implement password synchronization on Windows and UNIX computers.
- Installing Password Synchronization in Windows
You can use Password Synchronization to synchronize passwords between a Windows domain and one or more UNIX hosts, or you can use it to synchronize passwords between a stand-alone computer running Windows and one or more UNIX hosts. To synchronize local account passwords on a Windows-based computer, install Password Synchronization on that computer only. To synchronize Windows domain passwords, you must install Password Synchronization on all domain controllers for that domain. This will ensure that when a domain controller processes a password change request, the Password Synchronization service on that domain controller will be able to synchronize the new password with the appropriate UNIX hosts. For this reason, before you remove Password Synchronization from a domain controller, you should demote the domain controller to a member server to prevent password discrepancies between the Windows domain and the UNIX hosts. For information about installing Password Synchronization on Windows-based computers, see Install Password Synchronization.
- Installing the Password Synchronization daemon on UNIX hosts
To allow synchronization of Windows passwords with UNIX hosts, you must install the Password Synchronization daemon on each UNIX host on which passwords are to be synchronized. For information about installing the daemon, see Install the Password Synchronization daemon. When Password Synchronization receives a request for a password change, it encrypts the password and sends it to all UNIX hosts that are to be synchronized with the Windows-based computer or domain. To process the password change request, the UNIX host must be running the Password Synchronization daemon. This daemon receives the request and changes the password on the UNIX host. In addition, if the UNIX host is a master Network Information Service (NIS) server, the Password Synchronization daemon runs make to rebuild the NIS passwd map so it can be replicated to subordinate (slave) servers in the NIS domain. The Password Synchronization daemon performs event logging through the syslogd daemon running on the UNIX host.
- Installing the pluggable authentication module on UNIX hosts
Pluggable authentication modules (PAMs) allow a UNIX computer to support multiple authentication technologies. Password Synchronization uses this facility to provide UNIX-to-Windows password synchronization. To allow passwords on Windows-based computers or domains to be changed when users change their UNIX password, the Password Synchronization PAM module (pam_sso) must be installed on each UNIX host where users can change their passwords. Much like Password Synchronization running on a Windows-based computer, the Password Synchronization PAM module on a UNIX computer intercepts the password change request, encrypts the password, and then transmits the request to the appropriate Windows-based computers running Password Synchronization. Like the Password Synchronization daemon, the Password Synchronization PAM module performs event logging through the syslogd daemon running on the UNIX host. For information about configuring UNIX computers for UNIX-to-Windows synchronization, see Configure UNIX Computers for UNIX-to-Windows Synchronization.
- Synchronizing passwords between Windows and NIS domains
In addition to synchronizing passwords between Windows-based computers and standalone UNIX hosts, you can also use Password Synchronization to provide one-way (Windows-to-UNIX) synchronization as well as two-way synchronization. For more information, see Synchronizing passwords with an NIS domain. For security reasons, it is recommended that you perform the Windows Server 2003 Service Pack 1 (SP1) compatibility check when selecting Enable Windows to NIS (AD) Password Sync in the Password Synchronization Properties dialog box, Configuration tab. For more information about the compatibility check, see Best practices for Password Synchronization.
- Coordinating account names and password policies
The password policies on both systems must be similar. If the policy on one system is stronger (more restrictive) than the policy on the other system, Password Synchronization might fail to synchronize passwords, and the failure might not be reported. In addition, Password Synchronization can only synchronize the passwords of accounts with identical user names. Windows and UNIX administrators must ensure that the user names for the Windows and UNIX accounts of a given user match exactly (including case). If you are configuring Password Synchronization for one-way (Windows-to-UNIX) synchronization, you should consider disabling the ability of users to change passwords on the UNIX hosts that are to be synchronized with the Windows-based computers. Otherwise, if users change their UNIX passwords, their passwords will no longer be synchronized.