Lesson 5: Password Synchronization

The Microsoft Windows SFU add-on pack includes Password Synchronization. This allows synchronization of a user's password from Windows to UNIX as well as from UNIX to Windows.

In many enterprises, the computer network consists of heterogeneous systems with both Windows- and UNIX-based computers. These systems are managed separately and are governed by different access policies. Most importantly, Windows-and UNIX-based computers use different mechanisms for authenticating users. Many users have to access both systems for a variety of reasons. Consequently, users need to maintain different user accounts and different passwords on these systems.

Maintaining two passwords on two different systems is difficult for users. It maintains an artificial barrier between two kinds of systems that are part of the same network. With different password update schedules, users may forget one or more of passwords. Administrative intervention is then required to reset them. Together, this results in a loss of productivity.

Keeping two different passwords also burdens administrators. Whenever a user password needs to be reset, administrators have to change one password or the other or change them using two different mechanisms. Many enterprises have different system administrators for Windows and UNIX, a separation that may require users to contact a different system administrator depending on the issue.

SFU addresses this problem with Password Synchronization, which simplifies management of network passwords. It makes it easy for users of both Windows- and UNIX-based systems by allowing them to use the same password on both systems.

After this lesson, you will be able to

  • Determine the appropriate password synchronization scheme for a specified environment
  • Install Pasword Synchronization

Estimated lesson time: 15 minutes

Password Synchronization Scheme

Password Synchronization has two independent components—Windows-to-UNIX password synchronization and UNIX-to-Windows password synchronization. Of these, Windows-to-UNIX password synchronization is provided by default while UNIX-to-Windows password synchronization is optional.

When a user changes a password on a computer, the Password Synchronization client software captures the new password and sends a password change request with the new password to Password Synchronization server software running on other computers that take part in synchronization. Password synchronization uses TCP/IP sockets for communication and triple-DES (an encryption standard) for encrypting and decrypting passwords and related information sent from Windows to UNIX and vice-versa. Using standard communication protocols means that no other software needs to be installed for this feature to work.

System administrators may elect to install Password Synchronization independent of other features in SFU. This feature does not depend on other features of SFU. Similarly other features do not depend on password synchronization. However, Server for NIS is an upgrade path from this feature, while Server for NIS not only provides password synchronization but also handles account management.

Windows-to-UNIX Password Synchronization

SFU Password Synchronization supports synchronization of password changes from Windows NT- or Windows 2000-based computers to UNIX computers. Windows-based computers may be part of a domain or may be standalone computers.

  • Password Synchronization may be installed either on domain controllers or on local computers. This synchronizes passwords for domain users and local users respectively.
  • Password Synchronization from SFU version 2.0 can interoperate with the Password Synchronization feature in SFU version 1.0. Password Synchronization of SFU 2.0 (1.0) running on Windows computers can synchronize passwords with UNIX computers running password synchronization of SFU 1.0 (2.0) (ssod) running on UNIX.

Password Synchronization for Domain Users

In order to synchronize users' domain passwords with those of UNIX computers, the password synchronization component must be installed on all domain controllers in that domain. In Windows NT 4, this consisted of a primary domain controller and all backup domain computers. In Windows 2000, this consists of all peer domain controllers. This is necessary since when a Windows' user changes the password, the user's password change may occur at any of the domain controllers depending on network configuration.

In order to setup Windows-to-UNIX password synchronization, a password change service, ssod, must be installed on all UNIX computers on which the password must be synchronized. If a user's NIS or NIS+ password should be synchronized, ssod should be installed on the NIS or NIS+ master servers. In order to setup password synchronization on UNIX, an administrator needs to configure the sso.conf file. Similarly, the Password Synchronization feature must be installed on Windows-based computers that participate in synchronization. Password Synchronization should be configured using the SFU Administration console. Note that Password Synchronization must be configured in an identical manner on all domain controllers.

The sequence of events is as follows:

  1. User changes password on a Windows client that is part of a domain. User's password change request is sent to one of the domain controllers.

    This password is propagated to other domain controllers in the domain through domain replication.

  2. On the domain controller, the password synchronization component receives the password change notification. If the password is to be synchronized for that user, the password synchronization component encrypts the password and sends it to those UNIX computers participating in password synchronization.
  3. A password synchronization service, ssod, running on UNIX computers, listens for such password change requests. It decrypts the change message and changes the user's password on the UNIX computer.
  4. If the UNIX computer is an NIS server and if it is configured, it also changes the user's NIS password and does the make. Whenever NIS clients communicate with the NIS server for a password, they receive the new password.

Password Synchronization for local users

Password synchronization for local users works very similar to that for domain users. Instead of the password synchronization component being installed on domain controllers, it should be installed on the computer from which the password is to be synchronized.

Password synchronization works exactly the same as in the above case, except that password changes on Windows-based computers for local users are synchronized with UNIX computers instead of domain users. It can be configured in exactly the same way as in the above case. UNIX computers see no difference in the two cases.

UNIX-to-Windows Password Synchronization

Password synchronization may be configured for UNIX-to-Windows password synchronization. This allows users to change passwords either on a Windows-based computer or a UNIX computer. This way, users do not have to change their usage patterns.

Password synchronization on UNIX supports and uses Pluggable Authentication Modules (PAM). Password synchronization from UNIX to Windows supports synchronization with domain passwords or local passwords.

For UNIX-to-Windows password synchronization, administrators need to install the password synchronization pluggable module (typically called pam_sso.so) on all UNIX computers on which users may change their UNIX passwords. Similarly, Password Synchronization must be installed on all Windows-based computers on which the passwords must be synchronized. If the user's domain password must be synchronized to a UNIX password, Password Synchronization must be installed on all Windows domain controllers. On the other hand, if the user's local password must be synchronized to a UNIX password, Password Synchronization must be installed on that Windows-based computer.

The sequence of events is as follows:

  1. User changes password from a UNIX computer. The Password Synchronization pluggable module (pam_sso.so) running on the computer receives the password change when the user or administrator executes the Passwd command to change password.
  2. If the user's password needs to be synchronized to a Windows password, the Password Synchronization pluggable module encrypts the password and sends it to corresponding Windows-based computers.
  3. The Password Synchronization service running on the Windows-based computer (either domain controllers or standalone computers) decrypts the password change requests and changes the user's password.

Installing Password Synchronization

If you select Password Synchronization, you need to install a copy of Password Synchronization on each Windows 2000 Professional-based computer that needs access to NFS files or on each domain controller in the domain.

You also need to install the single sign-on daemon (ssod) on the UNIX-based computer with which you synchronize passwords. If you are using NIS, verify that SSOD is installed on the NIS master and that the ssod.config file is configured with the full path to the Makefile located on the NIS master.

In addition, if you are using shadow passwords, edit the ssod.config file and set USE_SHADOW equal to 1 (default is 0).

For propagating password changes from UNIX to Windows NT or Windows 2000, you need to install the supplied Windows NT PAM on UNIX.

Follow these steps to install Password Synchronization:

  1. Run Services for UNIX Setup.
  2. Click Typical Installation.
  3. Select Password Synchronization, and then select Run It From My Computer.

Supported Platforms

Password Synchronization is supported on the following UNIX platforms. The following table lists the modules available in SFU version 2.0. It provides the availability of components that must be installed on UNIX, namely, Windows-to-UNIX synchronization module (ssod) and UNIX-to-Windows synchronization module (pam_sso.so).

Password Synchronization Supported Platforms

Windows to UNIX Synchronization module (ssod) UNIX to Windows Synchronization module (pam_sso.so)
Solaris 2.6 and above Yes Yes
HP-UX 10.3 and above Yes Yes
IBM AIX 4.2 and above Yes No
Digital Tru64 Yes Yes
Linux (Redhat 5.2 and above) Yes Yes

In addition, SFU also makes the source to the UNIX components available and third parties may port the modules to other UNIX platforms.

Lesson Summary

Password Synchronization in SFU provides features to synchronize user passwords between Windows and UNIX. Password Synchronization includes the following functions.

  • Synchronizes domain passwords for computers that are part of a Windows domain or for local passwords for standalone computers. It supports both Windows NT and Windows 2000.
  • Allows synchronization for UNIX based computers that are either standalone computers or those that are part of NIS or NIS+.
  • Sends passwords over the network using strong encryption allowing complete security. It uses private key encryption mechanism.

MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
Year: 2004
Pages: 244

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net