The Microsoft Windows SFU add-on pack includes Password Synchronization. This allows synchronization of a user's password from Windows to UNIX as well as from UNIX to Windows.
In many enterprises, the computer network consists of heterogeneous systems with both Windows- and UNIX-based computers. These systems are managed separately and are governed by different access policies. Most importantly, Windows-and UNIX-based computers use different mechanisms for authenticating users. Many users have to access both systems for a variety of reasons. Consequently, users need to maintain different user accounts and different passwords on these systems.
Maintaining two passwords on two different systems is difficult for users. It maintains an artificial barrier between two kinds of systems that are part of the same network. With different password update schedules, users may forget one or more of passwords. Administrative intervention is then required to reset them. Together, this results in a loss of productivity.
Keeping two different passwords also burdens administrators. Whenever a user password needs to be reset, administrators have to change one password or the other or change them using two different mechanisms. Many enterprises have different system administrators for Windows and UNIX, a separation that may require users to contact a different system administrator depending on the issue.
SFU addresses this problem with Password Synchronization, which simplifies management of network passwords. It makes it easy for users of both Windows- and UNIX-based systems by allowing them to use the same password on both systems.
After this lesson, you will be able to
Estimated lesson time: 15 minutes
Password Synchronization has two independent components—Windows-to-UNIX password synchronization and UNIX-to-Windows password synchronization. Of these, Windows-to-UNIX password synchronization is provided by default while UNIX-to-Windows password synchronization is optional.
When a user changes a password on a computer, the Password Synchronization client software captures the new password and sends a password change request with the new password to Password Synchronization server software running on other computers that take part in synchronization. Password synchronization uses TCP/IP sockets for communication and triple-DES (an encryption standard) for encrypting and decrypting passwords and related information sent from Windows to UNIX and vice-versa. Using standard communication protocols means that no other software needs to be installed for this feature to work.
System administrators may elect to install Password Synchronization independent of other features in SFU. This feature does not depend on other features of SFU. Similarly other features do not depend on password synchronization. However, Server for NIS is an upgrade path from this feature, while Server for NIS not only provides password synchronization but also handles account management.
SFU Password Synchronization supports synchronization of password changes from Windows NT- or Windows 2000-based computers to UNIX computers. Windows-based computers may be part of a domain or may be standalone computers.
In order to synchronize users' domain passwords with those of UNIX computers, the password synchronization component must be installed on all domain controllers in that domain. In Windows NT 4, this consisted of a primary domain controller and all backup domain computers. In Windows 2000, this consists of all peer domain controllers. This is necessary since when a Windows' user changes the password, the user's password change may occur at any of the domain controllers depending on network configuration.
In order to setup Windows-to-UNIX password synchronization, a password change service, ssod, must be installed on all UNIX computers on which the password must be synchronized. If a user's NIS or NIS+ password should be synchronized, ssod should be installed on the NIS or NIS+ master servers. In order to setup password synchronization on UNIX, an administrator needs to configure the sso.conf file. Similarly, the Password Synchronization feature must be installed on Windows-based computers that participate in synchronization. Password Synchronization should be configured using the SFU Administration console. Note that Password Synchronization must be configured in an identical manner on all domain controllers.
The sequence of events is as follows:
This password is propagated to other domain controllers in the domain through domain replication.
Password synchronization for local users works very similar to that for domain users. Instead of the password synchronization component being installed on domain controllers, it should be installed on the computer from which the password is to be synchronized.
Password synchronization works exactly the same as in the above case, except that password changes on Windows-based computers for local users are synchronized with UNIX computers instead of domain users. It can be configured in exactly the same way as in the above case. UNIX computers see no difference in the two cases.
Password synchronization may be configured for UNIX-to-Windows password synchronization. This allows users to change passwords either on a Windows-based computer or a UNIX computer. This way, users do not have to change their usage patterns.
Password synchronization on UNIX supports and uses Pluggable Authentication Modules (PAM). Password synchronization from UNIX to Windows supports synchronization with domain passwords or local passwords.
For UNIX-to-Windows password synchronization, administrators need to install the password synchronization pluggable module (typically called pam_sso.so) on all UNIX computers on which users may change their UNIX passwords. Similarly, Password Synchronization must be installed on all Windows-based computers on which the passwords must be synchronized. If the user's domain password must be synchronized to a UNIX password, Password Synchronization must be installed on all Windows domain controllers. On the other hand, if the user's local password must be synchronized to a UNIX password, Password Synchronization must be installed on that Windows-based computer.
The sequence of events is as follows:
If you select Password Synchronization, you need to install a copy of Password Synchronization on each Windows 2000 Professional-based computer that needs access to NFS files or on each domain controller in the domain.
You also need to install the single sign-on daemon (ssod) on the UNIX-based computer with which you synchronize passwords. If you are using NIS, verify that SSOD is installed on the NIS master and that the ssod.config file is configured with the full path to the Makefile located on the NIS master.
In addition, if you are using shadow passwords, edit the ssod.config file and set USE_SHADOW equal to 1 (default is 0).
For propagating password changes from UNIX to Windows NT or Windows 2000, you need to install the supplied Windows NT PAM on UNIX.
Follow these steps to install Password Synchronization:
Password Synchronization is supported on the following UNIX platforms. The following table lists the modules available in SFU version 2.0. It provides the availability of components that must be installed on UNIX, namely, Windows-to-UNIX synchronization module (ssod) and UNIX-to-Windows synchronization module (pam_sso.so).
Password Synchronization Supported Platforms
|Windows to UNIX Synchronization module (ssod)||UNIX to Windows Synchronization module (pam_sso.so)|
|Solaris 2.6 and above||Yes||Yes|
|HP-UX 10.3 and above||Yes||Yes|
|IBM AIX 4.2 and above||Yes||No|
|Linux (Redhat 5.2 and above)||Yes||Yes|
In addition, SFU also makes the source to the UNIX components available and third parties may port the modules to other UNIX platforms.
Password Synchronization in SFU provides features to synchronize user passwords between Windows and UNIX. Password Synchronization includes the following functions.