DOCUMENT:Q312946 21-MAY-2002 [winnt] TITLE :Using Services for UNIX to Synchronize Passwords with NIS Domain PRODUCT :Microsoft Windows NT PROD/VER::2.0,2.1 OEM Only,2.2 OEM Only,2.3 OEM Only,3.0 OPER/SYS: KEYWORDS:w2000sfu ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows Services for UNIX, versions 2.0, 2.1 OEM Only, 2.2 OEM Only, 2.3 OEM Only, 3.0 ------------------------------------------------------------------------------- SUMMARY ======= You can us Password Synchronization to provide one-way (Windows-to-UNIX) and two-way password synchronization between Windows-based domains and Network Information Service (NIS) domains. You can do this whether the master server of the NIS domain is running on UNIX or is running Windows (Server for NIS). MORE INFORMATION ================ If the NIS master server is running UNIX, you can provide one-way synchronization by following these steps: 1. Install Password Synchronization on all of the Windows-based computers (such as the domain controllers) from which you want to synchronize passwords. 2. Install the single-sign-on daemon (SSOD) on the NIS master server. 3. Edit the sso.conf file on the NIS master server as follows: a. Set USE_NIS to 1. b. Set NIS_UPDATE_PATH to specify the location of the NIS makefile file. This instructs the SSOD to run the makefile file and to push the changed maps when a password-change request is received from the Windows-based domain. If Server for NIS is acting as the master server for the NIS domain, you do not have to do anything to provide one-way password synchronization. When a Windows user changes his or her password, Server for NIS automatically updates the UNIX password for NIS clients. If you also want to synchronize passwords with UNIX computers that are not part of the NIS domain, you can install Password Synchronization on the Windows-based domain controllers and configure the UNIX computers as described earlier in this article. Providing UNIX-to-Windows synchronization is similar for both types of NIS domains. To do this: 1. If the NIS master server is running UNIX, configure it for one-way synchronization as described earlier in this article. 2. Install Password Synchronization on all domain controllers. If the NIS master server is a UNIX computer, configure Password Synchronization on Windows for two-way synchronization with the master server. Add each NIS client to the list of computers that Password Synchronization synchronizes with. Make sure to turn on UNIX-to-Windows synchronization and to turn off Windows-to-UNIX synchronization. Windows-to-UNIX synchronization must be turned on only for the NIS master. 3. Install the Password Synchronization pluggable authentication module (PAM) on each NIS client, and then copy the sso.conf file from the master server to the /etc folder on those clients. 4. If the NIS master server is a Windows-based computer that runs Server for NIS, copy the Sso.cfg file to one of the NIS clients. Set SYNC_HOSTS to specify the computer that is running Server for NIS as the Windows-based computer with which to synchronize passwords, and then copy that file to the other UNIX clients. 5. Configure each UNIX computer to allow users to use the yppasswd command to change their passwords. To do this, replace the yppasswd binary file on the UNIX computer with a link to the passwd binary file, and then edit the /etc/nsswitch.conf file to replace the passwd and shadow lines with the following lines: passwd: files [NOTFOUND=continue] nis shadow: files [NOTFOUND=continue] nis After you do this, when a user runs the yppasswd command to change his or her password, the passwd binary file is run to change the password. If the user's passwd entry is not found in the local passwd and shadow files, the NIS password is changed instead. Additional query words: SFU sync sso.conf solar coaster solarcoaster interix ====================================================================== Keywords : w2000sfu Technology : kbWinServiceUNIX200 kbWinServiceUNIXSearch kbWinServiceUNIX300 kbWinServiceUNIX210OEM kbWinServiceUNIX220OEM Version : :2.0,2.1 OEM Only,2.2 OEM Only,2.3 OEM Only,3.0 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.