Checklist: Deploying Password Synchronization
Applies To: Windows Server 2008 R2, Windows Server 2012
Password Synchronization helps integrate Windows and UNIX networks by simplifying the process of maintaining secure passwords in both environments. With Password Synchronization, you install utilities on your network's UNIX-based computers that detect user password changes on Windows-based computers or domains, then automatically update passwords on every UNIX host on which the users have accounts. You can also configure Password Synchronization to change the user's Windows password when the user's UNIX password is changed.
Notes
You can install Password Synchronization in any of the following three scenarios.
You want to synchronize passwords in an NIS domain for which the master server is a Windows-based computer running Server for NIS. See Setting up Password Synchronization for use with an NIS domain (Server for NIS master server) in this topic.
You want to synchronize passwords in an NIS domain for which the master server is a UNIX-based NIS server. See Setting up Password Synchronization for use with an NIS domain (UNIX-based master server) in this topic.
You want to synchronize passwords for users of standalone UNIX-based hosts who connect to Windows computers. See Setting up Password Synchronization for use with standalone UNIX-based hosts in this topic.
Password Synchronization can be installed only on an Active Directory Domain Services domain controller.
Setting up Password Synchronization for use with an NIS domain (Server for NIS master server)
| Step | Reference | |
|---|---|---|
.gif) |
Read about Password Synchronization. |
|
|
Log on as a member of both the Schema Administrators and Enterprise Administrators groups. |
|
|
Install Password Synchronization on all domain controllers. |
|
|
Set the password encryption key. |
|
|
Change other settings, as needed. Be sure to select the UNIX to Windows check box in the Direction of password synchronization area on the General tab of the Password Synchronization Properties dialog box. |
Setting default synchronization; Setting computer-specific synchronization properties |
|
Add UNIX-based computers with which passwords will be synchronized if they are not members of the Network Information Service (NIS) domain. For each computer, select the computer in the list, click Properties , clear the Synchronize password changes to this computer check box, select the Synchronize password changes from this computer check box, and then click OK . If you want to use non-default values, you can also specify values for the port number, encryption key, or both. |
Setting up Password Synchronization for use with an NIS domain (UNIX-based master server)
| Step | Reference | |
|---|---|---|
|
Read about Password Synchronization. |
|
|
Log on as a member of both the Schema Administrators and Enterprise Administrators groups. |
|
|
Install Password Synchronization on the appropriate Windows-based computers. If the passwords of local accounts on a server are to be synchronized, install Password Synchronization on the server. If Windows domain passwords are to be synchronized, install Password Synchronization on all domain controllers. |
|
|
Set the password encryption key. |
|
|
Change other settings, as needed. Be sure to select the UNIX to Windows check box in the Direction of password synchronization area on the General tab of the Password Synchronization Properties dialog box. |
Setting default synchronization; Setting computer-specific synchronization properties |
|
Add the Network Information Service (NIS) master server to the list of computers with which the Windows-based computer will synchronize passwords. |
|
|
Add UNIX-based computers with which passwords will be synchronized if they are not members of the Network Information Service (NIS) domain. For each computer, on the General tab of the Add Computer dialog box, clear the Synchronize password changes to this computer check box, select the Synchronize password changes from this computer check box, and then click OK . If you want to use non-default values, you can also specify values for the port number, encryption key, or both. |
|
|
Specify which users have permissions to synchronize passwords. |
|
|
Ensure that the Password Synchronization configurations on all domain controllers in the domain are identical. |
|
Configuring UNIX-based computers to work with Password Synchronization
| Step | Reference | |
|---|---|---|
|
Install and configure the Password Synchronization single sign-on daemon (SSOD) on the NIS master server. Be sure to change the default encryption key in the sso.conf file to match the Password Synchronization encryption key set in preceding steps before copying it to the server, and edit sso.conf to specify the following:
|
Install the Password Synchronization daemon on UNIX-based computers |
|
Copy the sso.conf file from the NIS master server to the /etc directory of each computer on which the Password Synchronization PAM module is installed. |
|
|
On each NIS client on which you installed the Password Synchronization pluggable authentication module (PAM), replace the yppasswd binary file with a link to the passwd binary file, and then edit the /etc/nsswitch.conf file to change the passwd and shadow lines of the file, as shown: |
|
|
Start the Password Synchronization daemon on the NIS master server. |
Setting up Password Synchronization for use with standalone UNIX-based hosts
| Step | Reference | |
|---|---|---|
|
Read about Password Synchronization. |
|
|
Log on as a member of both the Schema Administrators and Enterprise Administrators groups. |
|
|
Install Password Synchronization on all Windows-based domain controllers. If the passwords of local accounts on a server are to be synchronized, install Password Synchronization on the server. If Windows domain passwords are to be synchronized, install Password Synchronization on all domain controllers. |
|
|
Set the password encryption key. |
|
|
Change other settings, as needed. |
Setting default synchronization; Setting computer-specific synchronization properties |
|
Add UNIX-based computers with which passwords will be synchronized if they are not members of the Network Information Service (NIS) domain. For each computer, on the General tab of the Add Computer dialog box, clear the Synchronize password changes to this computer check box, select the Synchronize password changes from this computer check box, and then click OK . If you want to use non-default values, you can also specify values for the port number, encryption key, or both. |
|
|
Ensure that the Password Synchronization configurations on all domain controllers in the domain are identical. |
|
Configuring UNIX-based standalone hosts to work with Password Synchronization
| Step | Reference | |
|---|---|---|
|
Install and configure the Password Synchronization single sign-on daemon (SSOD) on all UNIX-based computers with which passwords will be synchronized. Be sure to change the default encryption key in the sso.conf file to match the Password Synchronization encryption key set in previous steps before copying it to the UNIX-based computers. |
Install the Password Synchronization daemon on UNIX-based computers |
|
Specify which users have permissions to synchronize passwords. |
|
|
Start the Password Synchronization daemon. |
|
|
Install and configure the Password Synchronization PAM on all UNIX-based computers from which password changes are to be synchronized with Windows passwords. |
Install the Password Synchronization pluggable authentication module |
Additional references
For more information about Password Synchronization, see:
- The Windows Server TechCenter for Active Directory Domain Services (https://go.microsoft.com/fwlink/?LinkId=48547)