Install the Password Synchronization pluggable authentication module

This section contains instructions on installing the pluggable authentication module (PAM) on computers running any of the following four UNIX-based operating system families:

To install the pluggable authentication module (PAM) on AIX

Perform the following steps to install the PAM on computers running IBM AIX.

To install the PAM on AIX
  1. Copy the file pam_sso.aix from \Unix\Bins on the Windows Server® 2008 R2 product disc to /usr/lib/ on the computer running IBM AIX.

  2. Change the file name to pam_sso.aix.1.

  3. On the computer running AIX, log on as root, and then run the following command:

    chown root /usr/lib/pam_sso.aix.1 chmod 555 /usr/lib/pam_sso.aix.1

  4. If necessary, create the /etc/pam.conf file according to your network requirements, setting the owner to root and the base permissions to 644. For more information about creating the pam.conf file, see "Pluggable Authentication Modules" in System Management Guides: Security Guide in your AIX documentation.

    The following is a sample pam.conf file

     

    #
    # Authentication management
    #
    OTHER   auth	 required	 /usr/lib/security/pam_aix
    
    #
    # Account management
    #
    OTHER   account  required	 /usr/lib/security/pam_aix
    
    #
    # Session management
    #
    OTHER   session  required	 /usr/lib/security/pam_aix
    
  5. Open /etc/pam.conf by using a text editor.

  6. In the Password management section, add the following line:

    passwd password required /usr/lib/security/pam_sso.aix.1

    The following is a sample pam.conf file with this line added.

     

    #
    # Authentication management
    #
    OTHER   auth	 required	 /usr/lib/security/pam_aix
    
    #
    # Account management
    #
    OTHER   account  required	 /usr/lib/security/pam_aix
    
    #
    # Session management
    #
    OTHER   session  required	 /usr/lib/security/pam_aix
    
    #
    # Password management
    #
    passwd   password required	 /usr/lib/security/pam_sso.aix.1
    
  7. Open /usr/lib/security/methods.cfg by using a text editor, and add the following lines at the end of the file:

    PAM:    program = /usr/lib/security/PAM

    PAMfiles:    options = auth=PAM,db=BUILTIN

  8. Open /etc/security/user with a text editor and add authentication information for the specific users whose passwords you want to synchronize. For example:

    user1:	admin = false	SYSTEM = PAMfiles[*] AND "compat"	registry = PAMfiles
    
Note

You can choose to change the default section of /etc/security/user to allow all users to synchronize their passwords. In this case, to restrict access to Password Synchronization, you can use the SYNC_USERS attribute in the /etc/sso.conf file to restrict access. For more information, see Use sso.conf to configure Password Synchronization on UNIX-based computers. To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 6.

To install the pluggable authentication module (PAM) on HP-UX

Perform the following steps to install the PAM on computers running Hewlett-Packard HP-UX.

To install the PAM on HP-UX
  1. Copy pam_sso.hpx from \Unix\Bins on the Windows Server 2008 R2 product disc to /usr/lib/security on the UNIX computer.

  2. Change the file name to pam_sso.hp.1, and then set its file-mode bits to 544.

    Note

    The file-mode bits for pam_sso.hp.1 must be set to 544 (o:r-x,g:r--,w:r--) or it will not function properly.

  3. On the computer running HP-UX, open /etc/pam.conf by using a text editor.

  4. In the Password management section, locate the following line:

    other	password required	/usr/lib/security/libpam_unix.1
    
  5. Immediately after the line located in the previous step, add the following line:

    other password required /usr/lib/security/pam_sso.hp.1

Note

To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 5. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer.

Sample HP-UX PAM configuration file

The following file samples show a typical configuration. Actual contents of these files may vary, depending on your system configuration.

#
# PAM configuration
#
# Authentication management
#
login	auth required  /usr/lib/security/libpam_unix.1
su	 auth required  /usr/lib/security/libpam_unix.1
dtlogin  auth required  /usr/lib/security/libpam_unix.1
dtaction auth required  /usr/lib/security/libpam_unix.1
ftp	auth required  /usr/lib/security/libpam_unix.1
OTHER	auth required  /usr/lib/security/libpam_unix.1
#
# Account management
#
login	account required	 /usr/lib/security/libpam_unix.1
su	 account required	 /usr/lib/security/libpam_unix.1
dtlogin  account required	 /usr/lib/security/libpam_unix.1
dtaction account required	 /usr/lib/security/libpam_unix.1
ftp	account required	 /usr/lib/security/libpam_unix.1
#
OTHER	account required	 /usr/lib/security/libpam_unix.1
#
# Session management
#
login	session required	 /usr/lib/security/libpam_unix.1
dtlogin  session required	 /usr/lib/security/libpam_unix.1
dtaction session required	 /usr/lib/security/libpam_unix.1
OTHER	session required	 /usr/lib/security/libpam_unix.1
#
# Password management
#
login	password required	/usr/lib/security/libpam_unix.1
dtlogin  password required	/usr/lib/security/libpam_unix.1
dtaction password required	/usr/lib/security/libpam_unix.1
other	password required	/usr/lib/security/libpam_unix.1
other	password required	/usr/lib/security/pam_sso.hp.1

To install the pluggable authentication module (PAM) on Linux

Perform the following steps to install the PAM on computers running Linux.

To install the PAM on Linux
  1. Copy pam_sso.rhl from \Unix\Bins on the Windows Server 2008 R2 product disc to /lib/security on the UNIX computer, and change its name to pam_sso.so.1.

  2. On the UNIX computer, copy /etc/pam.d/system-auth to /etc/pam.d/ssod.

  3. Open /etc/pam.d/system-auth with a text editor, and locate the following line:

    password…..required…../lib/security/pam_cracklib.so…..retry=3
    
  4. After the line in the previous step, add the following line:

    password required /lib/security/pam_sso.so.1

  5. Locate and delete the following line:

    Password	required	/lib/security/pam_deny.so
    
  6. Save the modified file.

Note

These instructions apply to the typical Linux configuration. If you have configured PAM support differently, you might have to adjust these instructions to your specific configuration. To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.d/system-auth that you added in step 4. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer.

Sample Linux PAM configuration file

The following file samples show a typical configuration. Actual contents of these files may vary, depending on your system configuration.

/etc/pam.d/passwd

#%PAM-1.0
auth	 required	 /lib/security/pam_stack.so service=system-auth
account	required	 /lib/security/pam_stack.so service=system-auth
password   required	 /lib/security/pam_stack.so service=system-auth


/etc/pam.d/ssod

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth		required	/lib/security/pam_env.so
auth		sufficient	/lib/security/pam_unix.so likeauth nullok
auth		required	/lib/security/pam_deny.so

account	 required	/lib/security/pam_unix.so

password	required	/lib/security/pam_cracklib.so retry=3 type=
password	sufficient	/lib/security/pam_unix.so nullok use_authtok shadow
password	required	/lib/security/pam_deny.so

session	 required	/lib/security/pam_limits.so
session	 required	/lib/security/pam_unix.so


/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth		required	/lib/security/pam_env.so
auth		sufficient	/lib/security/pam_unix.so likeauth nullok
auth		required	/lib/security/pam_deny.so

account	 required	/lib/security/pam_unix.so

password	required	/lib/security/pam_cracklib.so retry=3 type=
password	required	/lib/security/pam_sso.so.1
password	sufficient	/lib/security/pam_unix.so nullok use_authtok shadow
password	required	/lib/security/pam_deny.so

session	 required	/lib/security/pam_limits.so
session	 required	/lib/security/pam_unix.so

To install the pluggable authentication module (PAM) on Solaris

Perform the following steps to install the PAM on computers running Sun Solaris.

To install the PAM on Solaris
  1. Copy pam_sso.sol from the \Unix\Bins folder on the Windows Server 2008 R2 product disc to the /usr/lib/security directory on the UNIX computer, and change its name to pam_sso.so.1.

  2. On the UNIX computer, open /etc/pam.conf with a text editor.

  3. In the Password management section, locate the following line:

    other password required /usr/lib/security/$ISA/pam_unix.so.1
    
  4. Immediately following the line located in the step 3, add the following line:

    other password required /usr/lib/security/$ISA/pam_sso.so.1

Note

To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 4. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer.

Sample Solaris PAM configuration file

The following file samples show a typical configuration. Actual contents of these files may vary, depending on your system configuration.

#
#ident  "@(#)pam.conf   1.14	99/09/16 SMI"
#
# Copyright (c) 1996-1999, Sun Microsystems, Inc.
# All Rights Reserved.
#
# PAM configuration
#
# Authentication management
#
login   auth required   /usr/lib/security/$ISA/pam_unix.so.1
login   auth required   /usr/lib/security/$ISA/pam_dial_auth.so.1
#
rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin  auth required   /usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin auth required   /usr/lib/security/$ISA/pam_unix.so.1
#
rsh	 auth required   /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other   auth required   /usr/lib/security/$ISA/pam_unix.so.1
#
# Account management
#
login   account requisite	 /usr/lib/security/$ISA/pam_roles.so.1
login   account required		/usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin account requisite	 /usr/lib/security/$ISA/pam_roles.so.1
dtlogin account required		/usr/lib/security/$ISA/pam_unix.so.1
#
other   account requisite	 /usr/lib/security/$ISA/pam_roles.so.1
other   account required		/usr/lib/security/$ISA/pam_unix.so.1
#
# Session management
#
other   session required		/usr/lib/security/$ISA/pam_unix.so.1
#
# Password management
#

other   password required	 /usr/lib/security/$ISA/pam_unix.so.1
other  password required		/usr/lib/security/$ISA/pam_sso.so.1
dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1

#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#login  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin		auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#other  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin		account optional /usr/lib/security/$ISA/pam_krb5.so.1
#other  account optional /usr/lib/security/$ISA/pam_krb5.so.1
#other  session optional /usr/lib/security/$ISA/pam_krb5.so.1
#other  password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass