Share via


Synchronizing Passwords with an NIS Domain

Applies To: Windows Server 2008

Synchronizing passwords with an NIS domain

By using Password Synchronization, you can provide one-way (Windows-to-UNIX) and two-way password synchronization between Windows domains and Network Information Service (NIS) domains. You can do this regardless of whether the master server of the NIS domain is running a UNIX-based operating system or is a Windows-based computer running Server for NIS.

If the NIS master server is running a UNIX-based operating system, all that is required to provide one-way synchronization is to install Password Synchronization on all Windows-based computers (for example, on the domain controllers) from which you want to synchronize passwords, and then install the single sign-on daemon (SSOD) on the NIS master server. You then edit the sso.conf file on the NIS master server to do the following:

  • Set USE_NIS to 1.

  • Set NIS_UPDATE_PATH to specify the location of the NIS makefile.

This instructs the SSOD to run the makefile and push the changed maps whenever a password change request is received from the Windows domain. For more information and additional instructions, see Install the Password Synchronization daemon on UNIX-based computers.

If Server for NIS is the master server for the NIS domain, you can provide one-way password synchronization from Windows to UNIX by selecting Enable in the Windows to NIS (Active Directory) password synchronization area of the Configuration tab in the Password Synchronization Properties dialog box. Because enabling Windows to NIS (Active Directory) password synchronization can expose passwords to greater risk of unauthorized use, selecting Enable prompts you to run a compatibility check of all domain controllers in the forest, to verify that they have the minimum security features to help protect user passwords.

If you need to synchronize passwords with UNIX computers that are not part of the NIS domain, install Password Synchronization on Windows-based Active Directory Domain Services domain controllers and configure the UNIX computers as described earlier in this topic.

You can provide UNIX-to-Windows synchronization for both types of NIS domains by doing the following.

  • If the NIS master server is running a UNIX-based operating system, configure the server for one-way synchronization as described earlier in this topic.

  • Install Password Synchronization on all domain controllers. If the NIS master server is running a UNIX-based operating system, configure Password Synchronization on Windows-based servers for two-way synchronization with the master server. Finally, add each NIS client to the list of computers with which Password Synchronization works, taking care to enable UNIX-to-Windows synchronization and disable Windows-to-UNIX synchronization. Windows-to-UNIX synchronization should be enabled only for the NIS master server. For more information about adding and configuring computers, see Adding or removing computers for synchronization and Setting computer-specific synchronization properties.

  • Install the Password Synchronization pluggable authentication module (PAM) on each NIS client, and then copy the sso.conf file from the master server to the /etc directory of those clients. For more information, see Install the Password Synchronization pluggable authentication module.

  • If the NIS master server is a Windows-based computer running Server for NIS, copy Sso.cfg to one of the NIS clients, set SYNC_HOSTS to specify the computer running Server for NIS as the Windows-based computer with which to synchronize passwords, and then copy the file to the other UNIX clients. See Use sso.conf to configure Password Synchronization on UNIX-based computers to learn more about settings in this file.

  • Configure each UNIX computer to allow users to use the yppasswd command to change their passwords. To do this, replace the yppasswd binary file on the UNIX computer with a link to the passwd binary file, and then edit the /etc/nsswitch.conf file to replace the passwd and shadow lines with the following:

    passwd:  files [NOTFOUND=continue] nis
    shadow:  files [NOTFOUND=continue] nis
    

    After you do this, when a user runs the yppasswd command to change the user's password, it is actually the passwd binary file that is run to change the password. If the user's passwd entry is not found in the local passwd and shadow files, the NIS password is changed instead.