Checklist: Setting up Password Synchronization for use with an NIS domain (Server for NIS master server)

Article
10/08/2009

Applies To: Windows Server 2003 R2

Checklist: Setting up Password Synchronization for use with an NIS domain (Server for NIS master server)

Configuring Windows systems

Step	Reference
Read about Password Synchronization.	Password Synchronization Concepts
Log on as a member of both the Schema Administrators and Enterprise Administrators groups.
Install Password Synchronization on all domain controllers.	Install Password Synchronization
Change the encryption key.	Set the default encryption key
Change other settings, as needed. Be sure to select the Synchronize password changes from computers that run UNIX to computers that run Windows check box.	Configure Password Synchronization
Add UNIX computers with which passwords will be synchronized if they are not members of the Network Information Service (NIS) domain. For each computer, select the computer in the list, click Configure, clear the Synchronize password changes to check box, select the Synchronize password changes from check box, and then click OK. If you want to use nondefault values, you can also specify values for the port number, encryption key, or both.	Add and remove computers for synchronization
Ensure that the Password Synchronization configurations on all domain controllers in the domain are identical.
Specify which users will and will not be allowed to synchronize passwords.	Controlling password synchronization for user accounts

Configuring UNIX systems

Step Reference

Step	Reference
Install and configure the Password Synchronization pluggable authentication module (PAM) on all UNIX computers from which password changes are to be synchronized with Windows passwords. Typically, this would be any computer on which users would run yppasswd and any computers that do not belong to the NIS domain.	Configure UNIX Computers for UNIX-to-Windows Synchronization
Using a binary file-copy method such as File Transfer Protocol (FTP) to avoid corrupting CR/LF (carriage-return/line-feed) pairs, copy Sso.cfg from IDMU\Unix\Bins on the Windows Server 2003 R2 CD to the /etc directory of each computer on which the Password Synchronization PAM module is installed, and change its name to sso.conf. Open the file with a text editor, and then perform the following steps: Edit the following line to specify the encryption key. This value must match the default key specified on all domain controllers with which this computer will synchronize passwords: ENCRYPT_KEY=encryptionKey If you have changed the default port, edit the following line to specify the new port. This value must match the port number specified on all domain controllers with which this computer will synchronize passwords. PORT_NUMBER=portNumber Edit the following line to specify the computer running Server for NIS. If you have specified a nondefault port number or encryption key for the UNIX computer when configuring Password Synchronization on the Windows domain controller, specify that value where indicated; otherwise, leave the value blank: SYNC_HOSTS=(domainController[, portNumber [, encryptionKey]])
On each NIS client on which you installed the Password Synchronization PAM module, replace the yppasswd binary file with a link to the passwd binary file, and then edit the /etc/nsswitch.conf file to change the passwd and shadow lines, as shown: `passwd: files [NOTFOUND=continue] nis shadow: files [NOTFOUND=continue] nis`

Install and configure the Password Synchronization pluggable authentication module (PAM) on all UNIX computers from which password changes are to be synchronized with Windows passwords. Typically, this would be any computer on which users would run yppasswd and any computers that do not belong to the NIS domain.

Configure UNIX Computers for UNIX-to-Windows Synchronization

Using a binary file-copy method such as File Transfer Protocol (FTP) to avoid corrupting CR/LF (carriage-return/line-feed) pairs, copy Sso.cfg from IDMU\Unix\Bins on the Windows Server 2003 R2 CD to the /etc directory of each computer on which the Password Synchronization PAM module is installed, and change its name to sso.conf. Open the file with a text editor, and then perform the following steps:

Edit the following line to specify the encryption key. This value must match the default key specified on all domain controllers with which this computer will synchronize passwords:

ENCRYPT_KEY=encryptionKey
If you have changed the default port, edit the following line to specify the new port. This value must match the port number specified on all domain controllers with which this computer will synchronize passwords.

PORT_NUMBER=portNumber
Edit the following line to specify the computer running Server for NIS. If you have specified a nondefault port number or encryption key for the UNIX computer when configuring Password Synchronization on the Windows domain controller, specify that value where indicated; otherwise, leave the value blank:

SYNC_HOSTS=(domainController[, portNumber [, encryptionKey]])

On each NIS client on which you installed the Password Synchronization PAM module, replace the yppasswd binary file with a link to the passwd binary file, and then edit the /etc/nsswitch.conf file to change the passwd and shadow lines, as shown:

passwd:  files [NOTFOUND=continue] nis
shadow:  files [NOTFOUND=continue] nis

Checklist: Setting up Password Synchronization for use with an NIS domain (Server for NIS master server)