Services for UNIX Overview

To simplify connecting to and working with UNIX systems, Microsoft released the SFU package, which contains all the basics needed for interoperating between Windows 2000 and UNIX. These products include NFS, telnet, the UNIX Korn shell and utilities, and a password synchronization daemon. Before installing SFU, you need a little background on password synchronization. Then we'll look at the other SFU products in more detail.

Understanding Password Synchronization

Password synchronization is a one-way synchronization utility that allows you to manage your users' passwords for both Windows 2000 and UNIX from the Windows 2000 Server. SFU includes precompiled password synchronization daemons (known in UNIX as single sign-on daemons, or SSOD) for three major versions of UNIX: HP-UX, Sun OS, and Digital UNIX. It also includes source code that theoretically allows you to compile on any other UNIX system you might need to support. Realistically, however, if you don't have one of the three provided ports of the secure daemon, you're likely to find that your only viable option is the nonsecure method of password synchronization using rlogin.

Obviously, the use of rlogin has inherent security concerns because it involves the passing of clear text passwords across the network, but it's relatively easy to set up and may be perfectly sufficient in a smaller network that is adequately secured from external influences. It also requires no additional software or configuration and is essentially platform independent.

Managing a UNIX Pod

UNIX hosts are organized into pods, with the password synchronization method being managed on a per-pod basis. You can create a new pod, add a host to an existing pod, or change the synchronization method for a pod by using the Password Synchronization Service Administrator (psadmin.exe).

When you create a new pod, you're prompted for the member hosts of the pod and the password synchronization methodology that will be used for the pod. You can change this later. You also have an option to turn on verbose logging. By default, only failures are logged, but with verbose logging enabled, all synchronization actions are logged to Event Viewer.

Using rlogin to Synchronize Passwords

While some UNIX environments don't permit the use of rlogin, where it's a viable option, it provides a simple and easily configured mechanism. Where the network is completely isolated from the outside world by a highly secure firewall (or there's no connection to the outside world at all), you can use rlogin to manage the synchronization between your Windows 2000 and UNIX machines. This option has the virtue of requiring no additional software on the UNIX host because most versions of UNIX support rlogin.

To set up rlogin password synchronization, you first need to configure the remote UNIX hosts to correctly support rlogin for the root account. This requires creating a .rhosts file on the server. This .rhosts file must have permissions such that only root (or the account authorized to change passwords) can write to the file, and it must be owned by root (or that alternate account) and reside in the home directory of the root or alternate account. It should contain a listing for the machine where the password change will be made—generally a domain controller. The listing should have only the short name for the machine, not the fully qualified domain name.

The default configuration for rlogin synchronization uses the root account, expects a prompt of "#", and expects that the password-changing command is passwd. If your environment is different from this, you can modify these defaults by using the Password Synchronization Service Administrator.

REAL WORLD  Account Names

---

Unlike Windows 2000 and Windows NT accounts, which are case insensitive, the user accounts on UNIX systems are fully case sensitive. If you already have mixed-case Windows 2000 accounts, you'll likely find it takes more time and grief to align the accounts than you save in the long run. But if you're just adding Windows 2000 into an existing UNIX environment, you can make password and account synchronization easy and straightforward by creating the corresponding Windows 2000 accounts as lowercase only from the very beginning. The display names associated with the accounts can remain mixed case; only the underlying account name needs to be all lowercase.

Using Secure Password Synchronization

SFU provides for secure password synchronization using precompiled binaries that run as daemons on the UNIX server, allowing the UNIX server to receive encrypted passwords sent by Windows 2000 and then modify the UNIX password for the same account. However, the caveats about case sensitivity relative to rlogin synchronization apply equally to secure synchronization.

Installing the Password Synchronization Daemon on UNIX

To install the password synchronization daemon, copy the SSOD and ssod.config files for your version of the secure daemon to the UNIX machine that will be the target for password synchronization. A typical target location for these files would be /usr/local/etc, but this will vary from system to system and isn't critical. If you use FTP to copy the files, make sure you use a binary transfer to prevent corruption of the files.

Once you've copied the files to the UNIX machine, use the appropriate mechanism to install them. This will vary depending on your platform but can include pkgadd or other installation mechanisms. Edit the provided ssod.config file to reflect both the locations of files on your system and the type of synchronization appropriate. Both Network Information Service (NIS) and /etc/passwd are supported, as is password shadowing.

The ssod.config file must reside in the same directory as the daemon. Once the daemon is configured, you can start it manually or add it to the appropriate startup file. Startup mechanisms vary from platform to platform but can include /etc/rc.local and shell wrappers in an /etc/rc2.d directory.

When you create the UNIX pod and select Use Encryption, the Secure Propagation Settings dialog box will open. Enter the port number you've configured on the UNIX side and the secret encryption key that you chose in the ssod.config file. This key will be used to encrypt the password before it is passed over the network.

NOTE

---

All hosts in a UNIX pod must use the same encryption key, but different pods can use different keys.

Installing Services for UNIX

Now you're ready to install SFU. To do so, follow this procedure:

1. Insert the SFU CD-ROM into the drive, and the first screen of the Services for UNIX Add-On Pack Setup Wizard will appear, as shown in Figure 21-1.



Figure 21-1. Initial screen of the Windows NT Services for UNIX Add-On Pack Setup Wizard.

2. Click Next, accept the license agreement, and click Next again.
3. Enter the 25 characters of the new license mechanism, as shown in Figure 21-2. The good news is that these characters are not case sensitive. The bad news is that it's extremely easy to mistype the string, and you can't cut and paste them from another source. Click Next.



Figure 21-2. Entering the license key for your copy of SFU.

4. Select the type of installation. As always, we recommend choosing a custom installation—if only so you know what you're actually getting. Figure 21-3 shows the defaults for a custom installation on Windows 2000 Server.



Figure 21-3. The defaults for installation of SFU on Windows 2000 Server.

5. Select the Server for NFS option only if you're going to share your Windows 2000 file systems back to UNIX. (See the section "The Network File System" earlier in this chapter for more specifics about when it's appropriate to select Server for NFS.)
6. The Windows NT To UNIX Password Synchronization option isn't selected by default. Generally, you should select this feature only in large environments under these conditions:

• Large numbers of users are working on both Windows 2000 and UNIX regularly.
• You're running NIS for all your UNIX systems.
• Your NIS server is one of the supported and supplied SSOD platforms (Sun OS, HP-UX, and Digital UNIX).

Alternately, if you have only a few UNIX systems and no security concerns, you can use the nonsecure method of password synchronization discussed earlier—rlogin. It has the virtue of being simple and easy to manage, but it does allow the unscrupulous person with physical access to your network to read clear text passwords on the network.

7. Once you've made your selections, click Next and Finish, and the installation will begin. In most cases, you'll need to reboot at the end, depending on the options you chose.