Implementing Password Synchronization

Password Synchronization changes a user's UNIX password whenever the user's password is changed on a Windows computer or domain. In addition, Password Synchronization and the affected UNIX hosts can be configured to change the user's Windows password whenever the UNIX password is changed.

Windows-to-UNIX password synchronization is supported on UNIX computers running any of the following operating systems:

UNIX-to-Windows password synchronization is supported on UNIX computers running any of the following operating systems:

For more information about how Password Synchronization works on Windows and UNIX computers, see Understanding Password Synchronization.

The remainder of this topic provides information about how to implement password synchronization on Windows and UNIX computers.

Installing Password Synchronization in Windows
You can use Password Synchronization to synchronize passwords between a Windows domain and one or more UNIX hosts, or you can use it to synchronize passwords between a stand-alone computer running Windows and one or more UNIX hosts.

To synchronize local account passwords on a Windows computer, install Password Synchronization on that computer only. To synchronize Windows domain passwords, you must install Password Synchronization on the appropriate domain controllers for that domain. In the case of a Windows NT domain, you install Password Synchronization on the primary domain controller; for a Windows 2000 domain, install Password Synchronization on all domain controllers in the domain. This will ensure that when a domain controller processes a password change request, the Password Synchronization service on that domain controller will be able to synchronize the new password with the appropriate UNIX hosts. For this reason, before you remove Password Synchronization from a domain controller, you should demote the domain controller to a member server to prevent password discrepancies between the Windows domain and the UNIX hosts.

For information about installing Password Synchronization on Windows computers, see To install Password Synchronization.

Installing the Password Synchronization daemon on UNIX hosts
To allow synchronization of Windows passwords with UNIX hosts, you must install the Password Synchronization daemon on each UNIX host on which passwords are to be synchronized. For information about installing the daemon, see To install the Password Synchronization daemon.

When Password Synchronization receives a request for a password change, it encrypts the password and sends it to all UNIX hosts that are to be synchronized with the Windows computer or domain. To process the password change request, the UNIX host must be running the Password Synchronization daemon. This daemon receives the request and changes the password on the UNIX host. In addition, if the UNIX host is a master Network Information Service (NIS) or NIS+ server, the Password Synchronization runs make to rebuild the NIS passwd map so it can be replicated to subordinate (slave) servers in the NIS domain.

The Password Synchronization daemon performs event logging through the syslogd daemon running on the UNIX host.

Installing the pluggable authentication module on UNIX hosts
Pluggable authentication modules (PAMs) allow a UNIX computer to support multiple authentication technologies. Password Synchronization uses this facility to provide UNIX-to-Windows password synchronization.

To allow passwords on Windows computers or domains to be changed when users change their UNIX password, the Password Synchronization PAM module (pam_sso) must be installed on each UNIX host where users can change their passwords. Much like Password Synchronization running on a Windows computer, the Password Synchronization PAM module on a UNIX computer intercepts the password change request, encrypts the password, and then transmits the request to the appropriate Windows computers running Password Synchronization.

Like the Password Synchronization daemon, the Password Synchronization PAM module performs event logging through the syslogd daemon running on the UNIX host.

For information about configuring UNIX computers for UNIX-to-Windows synchronization, see Configure UNIX computers for UNIX-to-Windows synchronization.

Synchronizing passwords between Windows and NIS domains
In addition to synchronizing passwords between Windows computers and standalone UNIX hosts, you can also use Password Synchronization to provide one-way (Windows-to-UNIX) synchronization as well as two-way synchronization. For more information, see Synchronizing passwords with an NIS domain.
Coordinating account names and password policies
The password policies on both systems must be similar. If the policy on one system is stronger (more restrictive) than the policy on the other system, Password Synchronization might fail to synchronize passwords, and the failure might not be reported.

In addition, Password Synchronization can only synchronize the passwords of accounts with identical user names. Windows and UNIX administrators must ensure that the user names for the Windows and UNIX accounts of a given user match exactly (including case).

If you are configuring Password Synchronization for one-way (Windows-to-UNIX) synchronization, you should consider disabling the ability of users to change passwords on the UNIX hosts that are to be synchronized with the Windows computers. Otherwise, if users change their UNIX passwords, their passwords will no longer be synchronized.