Synchronizing passwords with an NIS domain

  • Article

Applies To: Windows Server 2003 R2

Synchronizing passwords with an NIS domain

Using Password Synchronization, you can provide one-way (Windows-to-UNIX) and two-way password synchronization between Windows domains and Network Information Service (NIS) domains. You can do this regardless of whether the master server of the NIS domain is running on UNIX or on Windows (Server for NIS).

If the NIS master server is running UNIX, all that is required to provide one-way synchronization is to install Password Synchronization on all Windows-based computers (for example, on the domain controllers) from which you want to synchronize passwords, and then install the single sign-on daemon (SSOD) on the NIS master server. You then edit the sso.conf file on the NIS master server to do the following:

  • Set USE_NIS to 1

  • Set NIS_UPDATE_PATH to specify the location of the NIS makefile

This instructs the SSOD to run the makefile and push the changed maps whenever a password change request is received from the Windows domain. For more information and additional instructions, see Install the Password Synchronization daemon.

If Server for NIS is acting as the master server for the NIS domain, no action is required to provide one-way password synchronization because whenever a Windows user's password is changed, Server for NIS automatically updates the UNIX password for NIS clients. If you also need to synchronize passwords with UNIX computers that are not part of the NIS domain, you can install Password Synchronization on the Windows domain controllers and configure the UNIX computers as described earlier in this topic.

Providing UNIX-to-Windows synchronization is similar for both types of NIS domains, and is accomplished by performing the following operations:

  • If the NIS master server is running UNIX, set it up for one-way synchronization as described earlier in this topic.

  • Install Password Synchronization on all domain controllers. If the NIS master server is a UNIX computer, configure Password Synchronization on Windows for two-way synchronization with the master server. Finally, add each NIS client to the list of computers that Password Synchronization will synchronize with, being sure to enable UNIX-to-Windows synchronization and disabling Windows-to-UNIX synchronization. Windows-to-UNIX synchronization should be enabled only for the NIS master server. For more information about adding and configuring computers, see Add and remove computers for synchronization and Set computer-specific synchronization properties.

  • Install the Password Synchronization pluggable authentication module (PAM) on each NIS client, and then copy the sso.conf file from the master server to the /etc directory of those clients.

  • If the NIS master server is a Windows-based computer running Server for NIS, copy Sso.cfg to one of the NIS clients, set SYNC_HOSTS to specify the computer running Server for NIS as the Windows-based computer to synchronize passwords with, and then copy that file to the other UNIX clients. See Using sso.conf to configure Password Synchronization on the UNIX computer to learn more about settings in this file.

  • Configure each UNIX computer to allow users to use the yppasswd command to change their passwords. To do this, replace the yppasswd binary file on the UNIX computer with a link to the passwd binary file, and then edit the /etc/nsswitch.conf file to replace the passwd and shadow lines with the following:

    passwd:  files [NOTFOUND=continue] nis
shadow:  files [NOTFOUND=continue] nis

    After you do this, when a user runs the yppasswd command to change the user's password, it is actually the passwd binary file that is run to change the password. If the user's passwd entry is not found in the local passwd and shadow files, the NIS password is changed instead.