Using two way Password Sync - Windows and UNIX

Using two way Password Sync - Windows and UNIX

  • Comments 2
  • Likes

This blog is in continuation of the blog  (http://blogs.technet.com/b/dsix/archive/2009/04/06/password-synchronization-between-windows-and-unix-part-ii.aspx)  where we had discussed on syncing password changes from Unix to Windows.

Based on our testing and research, we did find some additional steps which need to be done to propagate the password changes from UNIX to
Windows. However, this would not be a very much recommended scenario and may be not that smooth as syncing password changes from Windows to UNIX password changes sync. The password changes made from UNIX are synced properly to Windows inspite of getting some error messages in the event logs.

The steps below are environment specific; we tried to keep it generic; mostly applicable to other similar environments as well.

Environment:

===========

  • Windows 2008 R2 as NIS server
  • Solaris 10 as NIS client
  • Two way password sync

 

Syncing one way password (Windows to UNIX) on a NIS environment is discussed on this blog.

Steps to sync password from UNIX ==> Windows on a NIS environment

Configuration required on Windows side:

  • Install the IDMU components
  • Password sync settings:

 

 


 
 
  
  
  
  
  
  
  
  

 

  • Change the default encryption key

 

  • Check the enable option under the configuration tab
  • Also add the IP address of the Unix NIS client under the UNIX computer.

 

 

Installation of the Password Synchronization daemon on Solaris:

  • To configure Solaris as NIS client please refer to Configuring the Solaris NIS Client section below

 

  • Please find the attach zip file. It contains the binaries for Solaris 8 and 9. Copy the relevant component to /usr/bin or /usr/local/bin on the Solaris computer, and change its name to ssod.

 

  • Copy Sso.cfg from \Unix\Bins \etc on the UNIX computer, and change the file name to sso.conf.

 

  • Open sso.conf by using a text editor.

 

  • If you have changed the default encryption key, edit the following line to specify the new default key. This value must match the default key specified on all domain controllers with which this computer will synchronize passwords:

ENCRYPT_KEY=encryptionKey ( as mentioned on the Windows DC)

              
PORT_NUMBER=portNumber ( as mentioned on the Windows DC)

  • Edit the following line to specify one domain controller in each Windows domain with which the computer must synchronize passwords. If you have specified a nondefault port number or encryption key for the UNIX-based computer when configuring Password Synchronization on the Windows domain controllers, specify that value where indicated; otherwise, leave the value blank:

SYNC_HOSTS=(domainController[,portNumber [, encryptionKey]]) ...

Note:Each entry in the list must be enclosed by parentheses and separated from the next entry  by a blank space.

  • Set the file permissions of sso.conf to read and write for the root user only, and deny access to all other users.

 

  • PAM configuration: To configure the UNIX to Windows password sync we need to perform all the steps that are required for Windows to UNIX password sync mentioned above; like configuring sso.conf file, copying appropriate binary to the UNIX box and adding the UNIX box name in the password sync management snap-in. The remaining step is to copy the appropriate Pam_sso.* file from unix\bins folder to the corresponding
    directory and change its name. Once this is done we need to set the mode for the modified file to be 544. Finally an entry in the /etc/pam.conf is required to complete the configuration.

 

  • Copy pam_sso.sol from the location to the /usr/lib/security directory on the UNIX computer, and change its name to pam_sso.so.1.
  • On the UNIX computer, open /etc/pam.conf with a text editor.
  • On Solaris 10, add  the below two lines:
    • other password required
      /usr/lib/security/$ISA/pam_unix.so.1.
    • other password required
      /usr/lib/security/$ISA/pam_sso.so.1.

 

  • To change the password from UNIX side, login as the Active Directory user and use “passwd” command.

  

Configuring the Solaris NIS Client (reproduced from a third party link):

1. Configure a domain name:

#domainname <domain name>

Forexample:

#domainname mydomainname

       #domainname  >  /etc/defaultdomain

#domainname

2. Configure the NIS configuration file:

# cd /etc

#cp   nsswitch.nis   nsswitch.conf

3. Configure the host file:

#vi   /etc/hosts

Add the
NIS server's information. Always use the server's name in the NIS configuration.

4. Start the YP service:

#/usr/lib/netsvc/yp/ypstart (to stop the service /usr/lib/netsvc/yp/ypstop)

5. Configure the slave server as an NIS client first:

#ypinit   - c

          (Select n to avoid stopping the process in an error.)

           Provide the name of the NIS masterserver. Press 'Ctrl + d' and then press 'y'.

6. Check the NIS database:

# ypwhich  -m

 

 

 

Attachment: SSOD.zip
Comments
  • the link to the blog in the first line doesn't work

  • Pasted the correct link.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment