Task 3: Install the Pluggable Authentication Module on UNIX-based Computers
Applies To: Windows Server 2003 R2
Pluggable authentication modules (PAMs) allow a UNIX computer to support multiple authentication technologies. Password Synchronization uses PAMs to provide UNIX-to-Windows password synchronization. To allow passwords on Windows-based computers or domains to be changed when users change their UNIX password, the Password Synchronization PAM module (pam_sso) must be installed on each UNIX host where users can change their passwords.
Much like Password Synchronization running on a Windows-based computer, the Password Synchronization PAM on a UNIX computer intercepts the password change request, encrypts the password, and then transmits the request to the appropriate Windows-based computers running Password Synchronization. Like the Password Synchronization daemon, the Password Synchronization PAM performs event logging through the syslogd daemon running on the UNIX host.
This section contains instructions on installing the PAM on computers running any of the following four UNIX-based operating systems:
AIX
HP-UX
Red Hat Linux
Solaris
To install the pluggable authentication module (PAM) on AIX
Copy pam_sso.aix from \Unix\Bins on the Windows Server 2003 R2 product CD or DVD-ROM to /usr/lib/ on the UNIX computer, and change its name to pam_sso.aix.1.
On the UNIX computer, log on as root, and then enter the following commands:
chown root /usr/lib/pam_sso.aix.1 chmod 555 /usr/lib/pam_sso.aix.1
If necessary, create the /etc/pam.conf file according to your network requirements, setting the owner to root and the base permissions to 644. For more information about creating the pam.conf file, see "Pluggable Authentication Modules" in System Management Guides: Security Guide in your AIX documentation.
Sample pam.conf file
# Authentication management OTHER auth required /usr/lib/security/pam_aix # Account management OTHER account required /usr/lib/security/pam_aix # Session management OTHER session required /usr/lib/security/pam_aix
Open /etc/pam.conf with a text editor.
In the Password management section, add the following line:
passwd password required /usr/lib/security/pam_sso.aix.1
Sample pam.conf file with this line added
# Authentication management OTHER auth required /usr/lib/security/pam_aix # Account management OTHER account required /usr/lib/security/pam_aix # Session management OTHER session required /usr/lib/security/pam_aix # Password management passwd password required /usr/lib/security/pam_sso.aix.1
Open /usr/lib/security/methods.cfg with a text editor and add the following lines at the end of the file:
PAM: program = /usr/lib/security/PAM
PAMfiles: options = auth=PAM,db=BUILTIN
Open /etc/security/user with a text editor and add authentication information for the specific users whose passwords you want to synchronize. For example:
user1: admin = false SYSTEM = PAMfiles[*] AND "compat" registry = PAMfiles
Note
You can choose to change the default section of /etc/security/user to allow all users to synchronize their passwords. In this case, to restrict access to Password Synchronization, you can use the SYNC_USERS attribute in the /etc/sso.conf file to restrict access. For more information, see Using sso.conf to configure Password Synchronization on the UNIX computer. To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 5.
- If you are finished installing the PAM on AIX-based computers, go on to Task 4: Configure Password Synchronization.
To install the pluggable authentication module (PAM) on HP-UX
Copy pam_sso.hpx from \Unix\Bins on the Windows Server 2003 R2 product CD or DVD-ROM to /usr/lib/security on the UNIX computer, change its name to pam_sso.hp.1, and then set its file-mode bits to 544.
On the UNIX computer, open /etc/pam.conf with a text editor.
In the Password management section, locate the following line:
other password required /usr/lib/security/libpam_unix.1
Immediately following the line located in the previous step, add the following line:
other password required /usr/lib/security/pam_sso.hp.1
Note
To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 4. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer. The following file samples show a typical configuration. Actual contents of these files may differ, depending on your system configuration. Sample HP-UX PAM configuration file
# PAM configuration
# Authentication management
login auth required /usr/lib/security/libpam_unix.1
su auth required /usr/lib/security/libpam_unix.1
dtlogin auth required /usr/lib/security/libpam_unix.1
dtaction auth required /usr/lib/security/libpam_unix.1
ftp auth required /usr/lib/security/libpam_unix.1
OTHER auth required /usr/lib/security/libpam_unix.1
# Account management
login account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_unix.1
# Session management
login session required /usr/lib/security/libpam_unix.1
dtlogin session required /usr/lib/security/libpam_unix.1
dtaction session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_unix.1
# Password management
login password required /usr/lib/security/libpam_unix.1
dtlogin password required /usr/lib/security/libpam_unix.1
dtaction password required /usr/lib/security/libpam_unix.1
other password required /usr/lib/security/libpam_unix.1
other password required /usr/lib/security/pam_sso.hp.1
The file-mode bits for pam_sso.hp.1 must be set to 544 (o:r-x,g:r--,w:r--) or it will not function properly.
- If you are finished installing the PAM on HP-UX-based computers, go on to Task 4: Configure Password Synchronization.
To install the pluggable authentication module (PAM) on Linux
Copy pam_sso.rhl from \Unix\Bins on the Windows Server 2003 R2 product CD or DVD-ROM to /lib/security on the UNIX computer, and change its name to pam_sso.so.1.
On the UNIX computer, copy /etc/pam.d/system-auth to /etc/pam.d/ssod.
Open /etc/pam.d/system-auth with a text editor, and locate the following line:
passwordrequired/lib/security/pam_cracklib.soretry=3
After the line in the previous step, add the following line:
password required /lib/security/pam_sso.so.1
Locate and delete the following line:
passwordrequired/lib/security/pam_deny.so
Save the modified file.
Note
These instructions apply to the typical Linux configuration. If you have configured PAM support differently, you might have to adjust these instructions to your specific configuration. To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.d/system-auth that you added in step 4. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer. The following file samples show a typical configuration. Actual contents of these files may differ, depending on your system configuration. Sample Linux PAM configuration file:
/etc/pam.d/passwd
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
/etc/pam.d/ssod
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 type=
password required /lib/security/pam_sso.so.1
password sufficient /lib/security/pam_unix.so nullok use_authtok shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
- If you are finished installing the PAM on Linux-based computers, go on to Task 4: Configure Password Synchronization.
To install the pluggable authentication module (PAM) on Solaris
Copy pam_sso.sol from the \Unix\Bins folder on the Windows Server 2003 R2 product CD or DVD-ROM to the /usr/lib/security directory on the UNIX computer, and change its name to pam_sso.so.1.
On the UNIX computer, open /etc/pam.conf with a text editor.
In the Password management section, locate the following line:
other password required /usr/lib/security/$ISA/pam_unix.so.1
Immediately following the line located in the previous step, add the following line:
other password required /usr/lib/security/$ISA/pam_sso.so.1
Note
To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 4. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer. The following file samples show a typical configuration. Actual contents of these files may differ, depending on your system configuration. Sample Solaris PAM configuration file
#ident "@(#)pam.conf 1.14 99/09/16 SMI"
# Copyright (c) 1996-1999, Sun Microsystems, Inc.
# All Rights Reserved.
# PAM configuration
# Authentication management
login auth required /usr/lib/security/$ISA/pam_unix.so.1
login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1
rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1
dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1
rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other auth required /usr/lib/security/$ISA/pam_unix.so.1
# Account management
login account requisite /usr/lib/security/$ISA/pam_roles.so.1
login account required /usr/lib/security/$ISA/pam_unix.so.1
dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
other account requisite /usr/lib/security/$ISA/pam_roles.so.1
other account required /usr/lib/security/$ISA/pam_unix.so.1
# Session management
other session required /usr/lib/security/$ISA/pam_unix.so.1
# Password management
other password required /usr/lib/security/$ISA/pam_unix.so.1
other password required /usr/lib/security/$ISA/pam_sso.so.1
dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
#other account optional /usr/lib/security/$ISA/pam_krb5.so.1
#other session optional /usr/lib/security/$ISA/pam_krb5.so.1
#other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
- If you are finished installing the PAM on Solaris-based computers, go on to Task 4: Configure Password Synchronization.
See Also
Other Resources
Using sso.conf to configure Password Synchronization on the UNIX computer