Password Synchronization between Windows and UNIX Part II

  • Article

In our last discussion we talked regarding setting up password synchronization from Windows to UNIX box. Here we can add some more functionality to allow the reverse process of sending password from UNIX box back to Windows as well. This along with the earlier one; is called two way password synchronization.

To configure the UNIX to Windows password sync we need to perform all the steps that are required for Windows to UNIX password sync (discussed here); like configuring sso.conf file, copying appropriate binary to the UNIX box and adding the UNIX box name in the password sync management snap-in.

The remaining step is to copy the appropriate Pam_sso.* file from unix\bins folder to the corresponding directory and change its name. Once this is done we need to set the mode for the modified file to be 544. Finally an entry in the /etc/pam.conf (or in the related files) is required to complete the configuration.

For SFU 3.5

On HP UX: Copy pam_sso.hpx from the location to /usr/lib/security on the UNIX computer, change its name to pam_sso.hp.1, and then set its file-mode bits to 544. In /etc/pam.conf file immediately after the Password management line, add this line (before other lines): other password required /usr/lib/security/pam_sso.hp.1.

On Solaris: Copy pam_sso.sol from the location to the /usr/lib/security directory on the UNIX computer, and change its name to pam_sso.so.1. In /etc/pam.conf file immediately after the Password management line, add this line (before other lines): other password required /usr/lib/security/pam_sso.so.1.

On Linux: Copy pam_sso.rhl from the location to /lib/security on the UNIX computer, and change its name to pam_sso.so.1.On the UNIX computer, copy /etc/pam.d/system-auth to /etc/pam.d/ssod. Open /etc/pam.d/system-auth with a text editor, and locate this line: password required /lib/security/pam_cracklib.so retry=3. After this line , add the following line: password required /lib/security/pam_sso.so.1. Locate and delete the following line: password required /lib/security/pam_deny.so. Save the modified file.

In case of Windows 2003 R2:

On HP-UX: Copy pam_sso.hpx from the location to /usr/lib/security on the UNIX computer, change its name to pam_sso.hp.1, and then set its file-mode bits to 544. On the UNIX computer, open /etc/pam.conf with a text editor. In the Password management section, locate this line: other password required /usr/lib/security/libpam_unix.1. Immediately following the line located in the previous step, add the following line: other password required /usr/lib/security/pam_sso.hp.1.

On Linux:Copy pam_sso.rhl from the location to /lib/security on the UNIX computer, and change its name to pam_sso.so.1.On the UNIX computer, copy /etc/pam.d/system-auth to /etc/pam.d/ssod. Open /etc/pam.d/system-auth with a text editor, and locate the following line: passwordrequired/lib/security/pam_cracklib.soretry=3. After the line in the previous step, add the following line: password required /lib/security/pam_sso.so.1. Locate and delete this line: passwordrequired/lib/security/pam_deny.so. Save the modified file.

On Solaris: Copy pam_sso.sol from the location to the /usr/lib/security directory on the UNIX computer, and change its name to pam_sso.so.1. On the UNIX computer, open /etc/pam.conf with a text editor. In the Password management section, locate this line: other password required /usr/lib/security/$ISA/pam_unix.so.1. Immediately following this line add this line: other password required /usr/lib/security/$ISA/pam_sso.so.1.

On IBM AIX: Copy pam_sso.aix from the location to /usr/lib/ on the UNIX computer, and change its name to pam_sso.aix.1. In the Password management section, add this line: passwd password required /usr/lib/security/pam_sso.aix.1.

Also, open /usr/lib/security/methods.cfg with a text editor and add these lines at the end of the file:

PAM: program = /usr/lib/security/PAM
PAMfiles: options = auth=PAM,db=BUILTIN

Open /etc/security/user with a text editor and add authentication information for the specific users whose passwords you want to synchronize. For example:

user1: admin = false SYSTEM = PAMfiles[*] AND "compat" registry = PAMfiles

Once the appropriate file is copied any change of the password done on UNIX box will synchronize with the Windows box.