Password Synchronization changes a user's UNIX password whenever the user's password is changed on a Windows computer or domain. In addition, Password Synchronization and the affected UNIX hosts can be configured to change the user's Windows password whenever the UNIX password is changed.
Windows-to-UNIX password synchronization is supported on UNIX computers running any of the following operating systems:
UNIX-to-Windows password synchronization is supported on UNIX computers running any of the following operating systems:
For more information about how Password Synchronization works on Windows and UNIX computers, see Understanding Password Synchronization.
The remainder of this topic provides information about how to implement password synchronization on Windows and UNIX computers.
To synchronize local account passwords on a Windows computer, install Password Synchronization on that computer only. To synchronize Windows domain passwords, you must install Password Synchronization on the appropriate domain controllers for that domain. In the case of a Windows NT domain, you install Password Synchronization on the primary domain controller; for a Windows 2000 domain, install Password Synchronization on all domain controllers in the domain. This will ensure that when a domain controller processes a password change request, the Password Synchronization service on that domain controller will be able to synchronize the new password with the appropriate UNIX hosts. For this reason, before you remove Password Synchronization from a domain controller, you should demote the domain controller to a member server to prevent password discrepancies between the Windows domain and the UNIX hosts.
For information about installing Password Synchronization on Windows computers, see To install Password Synchronization.
When Password Synchronization receives a request for a password change, it encrypts the password and sends it to all UNIX hosts that are to be synchronized with the Windows computer or domain. To process the password change request, the UNIX host must be running the Password Synchronization daemon. This daemon receives the request and changes the password on the UNIX host. In addition, if the UNIX host is a master Network Information Service (NIS) or NIS+ server, the Password Synchronization runs make to rebuild the NIS passwd map so it can be replicated to subordinate (slave) servers in the NIS domain.
The Password Synchronization daemon performs event logging through the syslogd daemon running on the UNIX host.
To allow passwords on Windows computers or domains to be changed when users change their UNIX password, the Password Synchronization PAM module (pam_sso) must be installed on each UNIX host where users can change their passwords. Much like Password Synchronization running on a Windows computer, the Password Synchronization PAM module on a UNIX computer intercepts the password change request, encrypts the password, and then transmits the request to the appropriate Windows computers running Password Synchronization.
Like the Password Synchronization daemon, the Password Synchronization PAM module performs event logging through the syslogd daemon running on the UNIX host.
For information about configuring UNIX computers for UNIX-to-Windows synchronization, see Configure UNIX computers for UNIX-to-Windows synchronization.
In addition, Password Synchronization can only synchronize the passwords of accounts with identical user names. Windows and UNIX administrators must ensure that the user names for the Windows and UNIX accounts of a given user match exactly (including case).
If you are configuring Password Synchronization for one-way (Windows-to-UNIX) synchronization, you should consider disabling the ability of users to change passwords on the UNIX hosts that are to be synchronized with the Windows computers. Otherwise, if users change their UNIX passwords, their passwords will no longer be synchronized.