Synchronizing passwords with an NIS domain
By using Password Synchronization, you can provide one-way (Windows-to-UNIX) and two-way password synchronization between Windows domains and Network Information Service (NIS) domains. You can do this regardless of whether the master server of the NIS domain is running a UNIX-based operating system or is a Windows-based computer running Server for NIS.
If the NIS master server is running a UNIX-based operating system, all that is required to provide one-way synchronization is to install Password Synchronization on all Windows-based computers (for example, on the domain controllers) from which you want to synchronize passwords, and then install the single sign-on daemon (SSOD) on the NIS master server. You then edit the sso.conf file on the NIS master server to do the following:
- Set USE_NIS to 1.
- Set NIS_UPDATE_PATH to specify the
location of the NIS makefile.
This instructs the SSOD to run the makefile and push the changed maps whenever a password change request is received from the Windows domain. For more information and additional instructions, see Install the Password Synchronization daemon on UNIX-based computers.
If Server for NIS is the master server for the NIS domain, you can provide one-way password synchronization from Windows to UNIX by selecting Enable in the Windows to NIS (Active Directory) password synchronization area of the Configuration tab in the Password Synchronization Properties dialog box. Because enabling Windows to NIS (Active Directory) password synchronization can expose passwords to greater risk of unauthorized use, selecting Enable prompts you to run a compatibility check of all domain controllers in the forest, to verify that they have the minimum security features to help protect user passwords.
If you need to synchronize passwords with UNIX computers that are not part of the NIS domain, install Password Synchronization on Windows-based Active Directory Domain Services domain controllers and configure the UNIX computers as described earlier in this topic.
You can provide UNIX-to-Windows synchronization for both types of NIS domains by doing the following.
- If the NIS master server is running a
UNIX-based operating system, configure the server for one-way
synchronization as described earlier in this topic.
- Install Password Synchronization on all
domain controllers. If the NIS master server is running a
UNIX-based operating system, configure Password Synchronization on
Windows-based servers for two-way synchronization with the master
server. Finally, add each NIS client to the list of computers with
which Password Synchronization works, taking care to enable
UNIX-to-Windows synchronization and disable Windows-to-UNIX
synchronization. Windows-to-UNIX synchronization should be enabled
only for the NIS master server. For more information about adding
and configuring computers, see Adding or removing
computers for synchronization and Setting
computer-specific synchronization properties.
- Install the Password Synchronization
pluggable authentication module (PAM) on each NIS client, and then
copy the sso.conf file from the master server to the /etc directory
of those clients. For more information, see Install the Password
Synchronization pluggable authentication module.
- If the NIS master server is a Windows-based
computer running Server for NIS, copy Sso.cfg to one of the NIS
clients, set SYNC_HOSTS to specify the computer running
Server for NIS as the Windows-based computer with which to
synchronize passwords, and then copy the file to the other UNIX
clients. See Use
sso.conf to configure Password Synchronization on UNIX-based
computers to learn more about settings in this file.
- Configure each UNIX computer to allow users
to use the yppasswd command to change their passwords. To do
this, replace the yppasswd binary file on the UNIX computer with a
link to the passwd binary file, and then edit the
/etc/nsswitch.conf file to replace the passwd and shadow lines with
passwd: files [NOTFOUND=continue] nis shadow: files [NOTFOUND=continue] nis