Updated: August 22, 2005
Applies To: Windows Server 2003 R2
Read about Password Synchronization.
Password Synchronization Concepts
Log on as a member of both the Schema Administrators and Enterprise Administrators groups.
Install Password Synchronization on the appropriate Windows-based computers. If the passwords of local accounts on a server are to be synchronized, install Password Synchronization on the server. If Windows domain passwords are to be synchronized, install Password Synchronization on all domain controllers.
Install Password Synchronization
Change the encryption key.
Set the default encryption key
Change other settings, as needed. Be sure to select the Synchronize password changes from computers that run UNIX to computers that run Windows check box.
Configure Password Synchronization
Add the Network Information Service (NIS) master server to the list of computers with which the Windows-based computer will synchronize passwords. Select the NIS master server in the list, click Configure, select both the Synchronize password changes to and Synchronize password changes from check boxes, and then click OK.
Add and remove computers for synchronization
Add UNIX computers with which passwords will be synchronized. For each computer, select the computer in the list, click Configure, clear the Synchronize password changes to check box, select the Synchronize password changes from check box, and then click OK. If you want to use nondefault values, specify values for the port number, encryption key, or both.
Specify which users will and will not be allowed to synchronize passwords.
Controlling password synchronization for user accounts
Ensure that the Password Synchronization configurations on all domain controllers in the domain are identical.
Install and configure the Password Synchronization single sign-on daemon (SSOD) on the NIS master server. Be sure to change the default encryption key in the sso.conf file to match the Password Synchronization encryption key set in previous steps before copying it to the server, and edit it to specify the following:
Install and configure the Password Synchronization pluggable authentication module (PAM) on all UNIX computers from which password changes are to be synchronized with Windows passwords. Typically, this would be any computer on which users would run yppasswd and any standalone computers (computers that do not belong to the domain).
Configure UNIX Computers for UNIX-to-Windows Synchronization
Copy the sso.conf file from the NIS master server to the /etc directory of each computer on which the Password Synchronization PAM module is installed.
On each NIS client on which you installed the Password Synchronization PAM module, replace the yppasswd binary file with a link to the passwd binary file, and then edit the /etc/nsswitch.conf file to change the passwd and shadow lines, as shown:
passwd: files [NOTFOUND=continue] nis shadow: files [NOTFOUND=continue] nis
Start the Password Synchronization daemon on the NIS master server.
Start the Password Synchronization daemon