Task 2: Install the Password Synchronization Daemon on UNIX-based Computers

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To allow synchronization of Windows passwords with UNIX hosts, you must install the Password Synchronization daemon on each UNIX host on which passwords are to be synchronized.

In this topic

What is the Password Synchronization Daemon?

What Operating Systems are Supported by the Password Synchronization Daemon?

To install the Password Synchronization daemon

Continue with Password Synchronization Setup

What is the Password Synchronization Daemon?

When Password Synchronization receives a request for a password change, it encrypts the password and sends it to all UNIX hosts that are to be synchronized with the Windows-based computer or domain. To process the password change request, the UNIX host must be running the Password Synchronization daemon, also known as the single sign-on daemon (SSOD). This daemon receives the request and changes the password on the UNIX host.

In addition, if the UNIX host is a master Network Information Service (NIS) server, the Password Synchronization daemon runs make to rebuild the NIS passwd map so it can be replicated to subordinate (slave) servers in the NIS domain. The Password Synchronization daemon performs event logging through the syslogd daemon running on the UNIX host.

What Operating Systems are Supported by the Password Synchronization Daemon?

Password Synchronization supports synchronization with UNIX computers running any of the following operating systems:

  • Hewlett-Packard HP-UX version 11i

  • IBM AIX version 5L 5.2

    Important

    Only Windows to UNIX password synchronization is supported on AIX. UNIX to Windows password synchronization is not supported.

  • Red Hat Linux versions 8 and 9

  • Sun Solaris version 8 running on x86-based computers and Scalable Processor Architecture (SPARC)–based computers, and Solaris version 9 running on SPARC–based computers

To install the Password Synchronization daemon

Note

Because the Password Synchronization daemon is installed on UNIX-based computers, there is no Windows user interface procedure for completing this task.

  1. Copy the appropriate source binary file from \Unix\Bins on Windows Server 2003 R2 CD or DVD-ROM to /usr/bin or /usr/local/bin on the UNIX computer, and change its name to ssod. The name of the source binary file depends on the version of UNIX you are using.

    • If the computer is running Hewlett-Packard HP-UX, the source binary file name is ssod.hpx.

    • If the computer is running Red Hat Linux, the source binary file name is ssod.rhl.

    • If the computer is running Sun Microsystems Solaris, the source binary file name is ssod.sol.

    • If the computer is running IBM AIX, the source binary file name is ssod.aix.

  2. Using a binary file-copy method such as File Transfer Protocol (FTP) to avoid corrupting CR/LF (carriage-return/line-feed) pairs, copy Sso.cfg from \Unix\Bins on the UNIX Identity Management CD to /etc on the UNIX computer, and change its name to sso.conf.

  3. Open sso.conf with a text editor.

  4. If you have changed the default encryption key, edit the following line to specify the new default key. This value must match the default key specified on all domain controllers with which this computer will synchronize passwords:

    **ENCRYPT_KEY=**encryptionKey

  5. If you have changed the default port, edit the following line to specify the new port. This value must match the port number specified on all domain controllers with which this computer will synchronize passwords.

    **PORT_NUMBER=**portNumber

  6. Edit the following line to specify one domain controller in each Windows domain with which the computer is to synchronize passwords. If you have specified a nondefault port number or encryption key for the UNIX-based computer when configuring Password Synchronization on the Windows domain controllers, specify that value where indicated; otherwise, leave the value blank:

    SYNC_HOSTS=(domainController[, portNumber [, encryptionKey]]) ...

    Each entry in the list must be enclosed by parentheses (the "(" and ")" characters) and separated from the next entry by a blank space.

  7. If the computer is a Network Information Service (NIS) master server, and if you want passwords to be synchronized throughout the NIS domain, edit the following line as shown to enable NIS synchronization:

    USE_NIS=1

    Also, if required, edit the following line to specify the location of the NIS makefile:

    **NIS_UPDATE_PATH=**makefilePath

  8. Set the file permissions of sso.conf to read/write for the root user only, and deny access to all other users.

  9. If the computer is running Linux, copy /etc/pam.d/system-auth to /etc/pam.d/ssod.

Important

The sso.conf file contains encryption keys and other sensitive information. For this reason, it must be accessible only by system administrators.

Note

This daemon program must be installed on the computer running UNIX to enable Password Synchronization to change users' passwords on that computer.

Continue with Password Synchronization Setup

To continue setting up Password Synchronization, go on to Task 3: Install the Pluggable Authentication Module on UNIX-based Computers.