Using two way Password Sync - Windows and UNIX - Services for UNIX Team - Microsoft - Site Home

This blog is in continuation of the blog (http://blogs.technet.com/b/dsix/archive/2009/04/06/password-synchronization-between-windows-and-unix-part-ii.aspx) where we had discussed on syncing password changes from Unix to Windows.

Based on our testing and research, we did find some additional steps which need to be done to propagate the password changes from UNIX to
Windows. However, this would not be a very much recommended scenario and may be not that smooth as syncing password changes from Windows to UNIX password changes sync. The password changes made from UNIX are synced properly to Windows inspite of getting some error messages in the event logs.

The steps below are environment specific; we tried to keep it generic; mostly applicable to other similar environments as well.

Environment:

===========

Windows 2008 R2 as NIS server
Solaris 10 as NIS client
Two way password sync

Syncing one way password (Windows to UNIX) on a NIS environment is discussed on this blog.

Steps to sync password from UNIX ==> Windows on a NIS environment

Configuration required on Windows side:

Install the IDMU components
Password sync settings:

Change the default encryption key

Check the enable option under the configuration tab
Also add the IP address of the Unix NIS client under the UNIX computer.

Installation of the Password Synchronization daemon on Solaris:

To configure Solaris as NIS client please refer to Configuring the Solaris NIS Client section below

Please find the attach zip file. It contains the binaries for Solaris 8 and 9. Copy the relevant component to /usr/bin or /usr/local/bin on the Solaris computer, and change its name to ssod.

Copy Sso.cfg from \Unix\Bins \etc on the UNIX computer, and change the file name to sso.conf.

Open sso.conf by using a text editor.

If you have changed the default encryption key, edit the following line to specify the new default key. This value must match the default key specified on all domain controllers with which this computer will synchronize passwords:

ENCRYPT_KEY=encryptionKey ( as mentioned on the Windows DC)

PORT_NUMBER=portNumber ( as mentioned on the Windows DC)

Edit the following line to specify one domain controller in each Windows domain with which the computer must synchronize passwords. If you have specified a nondefault port number or encryption key for the UNIX-based computer when configuring Password Synchronization on the Windows domain controllers, specify that value where indicated; otherwise, leave the value blank:

SYNC_HOSTS=(domainController[,portNumber [, encryptionKey]]) ...

Note:Each entry in the list must be enclosed by parentheses and separated from the next entry by a blank space.

Set the file permissions of sso.conf to read and write for the root user only, and deny access to all other users.

PAM configuration: To configure the UNIX to Windows password sync we need to perform all the steps that are required for Windows to UNIX password sync mentioned above; like configuring sso.conf file, copying appropriate binary to the UNIX box and adding the UNIX box name in the password sync management snap-in. The remaining step is to copy the appropriate Pam_sso.* file from unix\bins folder to the corresponding
directory and change its name. Once this is done we need to set the mode for the modified file to be 544. Finally an entry in the /etc/pam.conf is required to complete the configuration.

Copy pam_sso.sol from the location to the /usr/lib/security directory on the UNIX computer, and change its name to pam_sso.so.1.
On the UNIX computer, open /etc/pam.conf with a text editor.
On Solaris 10, add the below two lines:
- other password required
  /usr/lib/security/$ISA/pam_unix.so.1.
- other password required
  /usr/lib/security/$ISA/pam_sso.so.1.