Task 3: Install the Pluggable Authentication Module on UNIX-based Computers

Applies To: Windows Server 2003 R2

Pluggable authentication modules (PAMs) allow a UNIX computer to support multiple authentication technologies. Password Synchronization uses PAMs to provide UNIX-to-Windows password synchronization. To allow passwords on Windows-based computers or domains to be changed when users change their UNIX password, the Password Synchronization PAM module (pam_sso) must be installed on each UNIX host where users can change their passwords.

Much like Password Synchronization running on a Windows-based computer, the Password Synchronization PAM on a UNIX computer intercepts the password change request, encrypts the password, and then transmits the request to the appropriate Windows-based computers running Password Synchronization. Like the Password Synchronization daemon, the Password Synchronization PAM performs event logging through the syslogd daemon running on the UNIX host.

This section contains instructions on installing the PAM on computers running any of the following four UNIX-based operating systems:

  • AIX

  • HP-UX

  • Red Hat Linux

  • Solaris

To install the pluggable authentication module (PAM) on AIX

  1. Copy pam_sso.aix from \Unix\Bins on the Windows Server 2003 R2 product CD or DVD-ROM to /usr/lib/ on the UNIX computer, and change its name to pam_sso.aix.1.

  2. On the UNIX computer, log on as root, and then enter the following commands:

    chown root /usr/lib/pam_sso.aix.1 chmod 555 /usr/lib/pam_sso.aix.1

  3. If necessary, create the /etc/pam.conf file according to your network requirements, setting the owner to root and the base permissions to 644. For more information about creating the pam.conf file, see "Pluggable Authentication Modules" in System Management Guides: Security Guide in your AIX documentation.

    Sample pam.conf file

     

    # Authentication management
    OTHER   auth     required       /usr/lib/security/pam_aix
    
    # Account management
    OTHER   account  required       /usr/lib/security/pam_aix
    
    # Session management
    OTHER   session  required       /usr/lib/security/pam_aix
    
  4. Open /etc/pam.conf with a text editor.

  5. In the Password management section, add the following line:

    passwd password required /usr/lib/security/pam_sso.aix.1

    Sample pam.conf file with this line added

     

    # Authentication management
    OTHER   auth     required       /usr/lib/security/pam_aix
    
    # Account management
    OTHER   account  required       /usr/lib/security/pam_aix
    
    # Session management
    OTHER   session  required       /usr/lib/security/pam_aix
    
    # Password management
    passwd   password required       /usr/lib/security/pam_sso.aix.1
    
  6. Open /usr/lib/security/methods.cfg with a text editor and add the following lines at the end of the file:

    PAM:    program = /usr/lib/security/PAM

    PAMfiles:    options = auth=PAM,db=BUILTIN

  7. Open /etc/security/user with a text editor and add authentication information for the specific users whose passwords you want to synchronize. For example:

    user1:    admin = false    SYSTEM = PAMfiles[*] AND "compat"    registry = PAMfiles

Note

You can choose to change the default section of /etc/security/user to allow all users to synchronize their passwords. In this case, to restrict access to Password Synchronization, you can use the SYNC_USERS attribute in the /etc/sso.conf file to restrict access. For more information, see Using sso.conf to configure Password Synchronization on the UNIX computer. To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 5.

  1. If you are finished installing the PAM on AIX-based computers, go on to Task 4: Configure Password Synchronization.

To install the pluggable authentication module (PAM) on HP-UX

  1. Copy pam_sso.hpx from \Unix\Bins on the Windows Server 2003 R2 product CD or DVD-ROM to /usr/lib/security on the UNIX computer, change its name to pam_sso.hp.1, and then set its file-mode bits to 544.

  2. On the UNIX computer, open /etc/pam.conf with a text editor.

  3. In the Password management section, locate the following line:

    other password required /usr/lib/security/libpam_unix.1

  4. Immediately following the line located in the previous step, add the following line:

    other password required /usr/lib/security/pam_sso.hp.1

Note

To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 4. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer. The following file samples show a typical configuration. Actual contents of these files may differ, depending on your system configuration. Sample HP-UX PAM configuration file

# PAM configuration
# Authentication management
login    auth required  /usr/lib/security/libpam_unix.1
su       auth required  /usr/lib/security/libpam_unix.1
dtlogin  auth required  /usr/lib/security/libpam_unix.1
dtaction auth required  /usr/lib/security/libpam_unix.1
ftp      auth required  /usr/lib/security/libpam_unix.1
OTHER    auth required  /usr/lib/security/libpam_unix.1
# Account management
login    account required       /usr/lib/security/libpam_unix.1
su       account required       /usr/lib/security/libpam_unix.1
dtlogin  account required       /usr/lib/security/libpam_unix.1
dtaction account required       /usr/lib/security/libpam_unix.1
ftp      account required       /usr/lib/security/libpam_unix.1
OTHER    account required       /usr/lib/security/libpam_unix.1
# Session management
login    session required       /usr/lib/security/libpam_unix.1
dtlogin  session required       /usr/lib/security/libpam_unix.1
dtaction session required       /usr/lib/security/libpam_unix.1
OTHER    session required       /usr/lib/security/libpam_unix.1
# Password management
login    password required      /usr/lib/security/libpam_unix.1
dtlogin  password required      /usr/lib/security/libpam_unix.1
dtaction password required      /usr/lib/security/libpam_unix.1
other    password required      /usr/lib/security/libpam_unix.1
other    password required      /usr/lib/security/pam_sso.hp.1

The file-mode bits for pam_sso.hp.1 must be set to 544 (o:r-x,g:r--,w:r--) or it will not function properly.

  1. If you are finished installing the PAM on HP-UX-based computers, go on to Task 4: Configure Password Synchronization.

To install the pluggable authentication module (PAM) on Linux

  1. Copy pam_sso.rhl from \Unix\Bins on the Windows Server 2003 R2 product CD or DVD-ROM to /lib/security on the UNIX computer, and change its name to pam_sso.so.1.

  2. On the UNIX computer, copy /etc/pam.d/system-auth to /etc/pam.d/ssod.

  3. Open /etc/pam.d/system-auth with a text editor, and locate the following line:

    passwordrequired/lib/security/pam_cracklib.soretry=3

  4. After the line in the previous step, add the following line:

    password required /lib/security/pam_sso.so.1

  5. Locate and delete the following line:

    passwordrequired/lib/security/pam_deny.so

  6. Save the modified file.

Note

These instructions apply to the typical Linux configuration. If you have configured PAM support differently, you might have to adjust these instructions to your specific configuration. To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.d/system-auth that you added in step 4. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer. The following file samples show a typical configuration. Actual contents of these files may differ, depending on your system configuration. Sample Linux PAM configuration file:

/etc/pam.d/passwd

#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth


/etc/pam.d/ssod

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    required      /lib/security/pam_sso.so.1
password    sufficient    /lib/security/pam_unix.so nullok use_authtok shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
  1. If you are finished installing the PAM on Linux-based computers, go on to Task 4: Configure Password Synchronization.

To install the pluggable authentication module (PAM) on Solaris

  1. Copy pam_sso.sol from the \Unix\Bins folder on the Windows Server 2003 R2 product CD or DVD-ROM to the /usr/lib/security directory on the UNIX computer, and change its name to pam_sso.so.1.

  2. On the UNIX computer, open /etc/pam.conf with a text editor.

  3. In the Password management section, locate the following line:

    other password required /usr/lib/security/$ISA/pam_unix.so.1

  4. Immediately following the line located in the previous step, add the following line:

    other password required /usr/lib/security/$ISA/pam_sso.so.1

Note

To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 4. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer. The following file samples show a typical configuration. Actual contents of these files may differ, depending on your system configuration. Sample Solaris PAM configuration file

#ident  "@(#)pam.conf   1.14    99/09/16 SMI"
# Copyright (c) 1996-1999, Sun Microsystems, Inc.
# All Rights Reserved.
# PAM configuration
# Authentication management
login   auth required   /usr/lib/security/$ISA/pam_unix.so.1
login   auth required   /usr/lib/security/$ISA/pam_dial_auth.so.1
rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin  auth required   /usr/lib/security/$ISA/pam_unix.so.1
dtlogin auth required   /usr/lib/security/$ISA/pam_unix.so.1
rsh     auth required   /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other   auth required   /usr/lib/security/$ISA/pam_unix.so.1
# Account management
login   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
login   account required        /usr/lib/security/$ISA/pam_unix.so.1
dtlogin account requisite       /usr/lib/security/$ISA/pam_roles.so.1
dtlogin account required        /usr/lib/security/$ISA/pam_unix.so.1
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
other   account required        /usr/lib/security/$ISA/pam_unix.so.1
# Session management
other   session required        /usr/lib/security/$ISA/pam_unix.so.1
# Password management

other   password required       /usr/lib/security/$ISA/pam_unix.so.1
other  password required        /usr/lib/security/$ISA/pam_sso.so.1
dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1

# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#login  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin        auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#other  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin        account optional /usr/lib/security/$ISA/pam_krb5.so.1
#other  account optional /usr/lib/security/$ISA/pam_krb5.so.1
#other  session optional /usr/lib/security/$ISA/pam_krb5.so.1
#other  password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
  1. If you are finished installing the PAM on Solaris-based computers, go on to Task 4: Configure Password Synchronization.

See Also

Other Resources

Using sso.conf to configure Password Synchronization on the UNIX computer