Share via


Install the Password Synchronization pluggable authentication module

Applies To: Windows Server 2003 R2

This section contains instructions on installing the pluggable authentication module (PAM) on computers running any of the following four UNIX-based operating system families:

  • To install the pluggable authentication module (PAM) on AIX

  • To install the pluggable authentication module (PAM) on HP-UX

  • To install the pluggable authentication module (PAM) on Linux

  • To install the pluggable authentication module (PAM) on Solaris

To install the pluggable authentication module (PAM) on AIX

Perform the following steps to install the PAM on computers running IBM AIX.

To install the PAM on AIX

  1. Copy the file pam_sso.aix from \Unix\Bins on the Windows Server® 2008 product disc to /usr/lib/ on the computer running IBM AIX.

  2. Change the file name to pam_sso.aix.1.

  3. On the computer running AIX, log on as root, and then run the following command:

    chown root /usr/lib/pam_sso.aix.1 chmod 555 /usr/lib/pam_sso.aix.1

  4. If necessary, create the /etc/pam.conf file according to your network requirements, setting the owner to root and the base permissions to 644. For more information about creating the pam.conf file, see "Pluggable Authentication Modules" in System Management Guides: Security Guide in your AIX documentation.

    The following is a sample pam.conf file

     

    # Authentication management
    OTHER   auth     required       /usr/lib/security/pam_aix
    
    # Account management
    OTHER   account  required       /usr/lib/security/pam_aix
    
    # Session management
    OTHER   session  required       /usr/lib/security/pam_aix
    
  5. Open /etc/pam.conf by using a text editor.

  6. In the Password management section, add the following line:

    passwd password required /usr/lib/security/pam_sso.aix.1

    The following is a sample pam.conf file with this line added.

     

    # Authentication management
    OTHER   auth     required       /usr/lib/security/pam_aix
    
    # Account management
    OTHER   account  required       /usr/lib/security/pam_aix
    
    # Session management
    OTHER   session  required       /usr/lib/security/pam_aix
    
    # Password management
    passwd   password required       /usr/lib/security/pam_sso.aix.1
    
  7. Open /usr/lib/security/methods.cfg by using a text editor, and add the following lines at the end of the file:

    PAM:    program = /usr/lib/security/PAM

    PAMfiles:    options = auth=PAM,db=BUILTIN

  8. Open /etc/security/user with a text editor and add authentication information for the specific users whose passwords you want to synchronize. For example:

    user1:    admin = false    SYSTEM = PAMfiles[*] AND "compat"    registry = PAMfiles
    

Note

You can choose to change the default section of /etc/security/user to allow all users to synchronize their passwords. In this case, to restrict access to Password Synchronization, you can use the SYNC_USERS attribute in the /etc/sso.conf file to restrict access. For more information, see Use sso.conf to configure Password Synchronization on UNIX-based computers. To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 6.

To install the pluggable authentication module (PAM) on HP-UX

Perform the following steps to install the PAM on computers running Hewlett-Packard HP-UX.

To install the PAM on HP-UX

  1. Copy pam_sso.hpx from \Unix\Bins on the Windows Server 2008 product disc to /usr/lib/security on the UNIX computer.

  2. Change the file name to pam_sso.hp.1, and then set its file-mode bits to 544.

Note

The file-mode bits for pam_sso.hp.1 must be set to 544 (o:r-x,g:r--,w:r--) or it will not function properly.

  1. On the computer running HP-UX, open /etc/pam.conf by using a text editor.

  2. In the Password management section, locate the following line:

    other    password required      /usr/lib/security/libpam_unix.1
    
  3. Immediately after the line located in the previous step, add the following line:

    other password required /usr/lib/security/pam_sso.hp.1

Note

To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 5. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer.

Sample HP-UX PAM configuration file

The following file samples show a typical configuration. Actual contents of these files may vary, depending on your system configuration.

# PAM configuration
# Authentication management
login    auth required  /usr/lib/security/libpam_unix.1
su       auth required  /usr/lib/security/libpam_unix.1
dtlogin  auth required  /usr/lib/security/libpam_unix.1
dtaction auth required  /usr/lib/security/libpam_unix.1
ftp      auth required  /usr/lib/security/libpam_unix.1
OTHER    auth required  /usr/lib/security/libpam_unix.1
# Account management
login    account required       /usr/lib/security/libpam_unix.1
su       account required       /usr/lib/security/libpam_unix.1
dtlogin  account required       /usr/lib/security/libpam_unix.1
dtaction account required       /usr/lib/security/libpam_unix.1
ftp      account required       /usr/lib/security/libpam_unix.1
OTHER    account required       /usr/lib/security/libpam_unix.1
# Session management
login    session required       /usr/lib/security/libpam_unix.1
dtlogin  session required       /usr/lib/security/libpam_unix.1
dtaction session required       /usr/lib/security/libpam_unix.1
OTHER    session required       /usr/lib/security/libpam_unix.1
# Password management
login    password required      /usr/lib/security/libpam_unix.1
dtlogin  password required      /usr/lib/security/libpam_unix.1
dtaction password required      /usr/lib/security/libpam_unix.1
other    password required      /usr/lib/security/libpam_unix.1
other    password required      /usr/lib/security/pam_sso.hp.1

To install the pluggable authentication module (PAM) on Linux

Perform the following steps to install the PAM on computers running Linux.

To install the PAM on Linux

  1. Copy pam_sso.rhl from \Unix\Bins on the Windows Server 2008 product disc to /lib/security on the UNIX computer, and change its name to pam_sso.so.1.

  2. On the UNIX computer, copy /etc/pam.d/system-auth to /etc/pam.d/ssod.

  3. Open /etc/pam.d/system-auth with a text editor, and locate the following line:

    password…..required…../lib/security/pam_cracklib.so…..retry=3
    
  4. After the line in the previous step, add the following line:

    password required /lib/security/pam_sso.so.1

  5. Locate and delete the following line:

    Password    required    /lib/security/pam_deny.so
    
  6. Save the modified file.

Note

These instructions apply to the typical Linux configuration. If you have configured PAM support differently, you might have to adjust these instructions to your specific configuration. To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.d/system-auth that you added in step 4. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer.

Sample Linux PAM configuration file

The following file samples show a typical configuration. Actual contents of these files may vary, depending on your system configuration.

/etc/pam.d/passwd

#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth


/etc/pam.d/ssod

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    required      /lib/security/pam_sso.so.1
password    sufficient    /lib/security/pam_unix.so nullok use_authtok shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

To install the pluggable authentication module (PAM) on Solaris

Perform the following steps to install the PAM on computers running Sun Solaris.

To install the PAM on Solaris

  1. Copy pam_sso.sol from the \Unix\Bins folder on the Windows Server 2008 product disc to the /usr/lib/security directory on the UNIX computer, and change its name to pam_sso.so.1.

  2. On the UNIX computer, open /etc/pam.conf with a text editor.

  3. In the Password management section, locate the following line:

    other password required /usr/lib/security/$ISA/pam_unix.so.1
    
  4. Immediately following the line located in the step 3, add the following line:

    other password required /usr/lib/security/$ISA/pam_sso.so.1

Note

To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 4. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer.

Sample Solaris PAM configuration file

The following file samples show a typical configuration. Actual contents of these files may vary, depending on your system configuration.

#ident  "@(#)pam.conf   1.14    99/09/16 SMI"
# Copyright (c) 1996-1999, Sun Microsystems, Inc.
# All Rights Reserved.
# PAM configuration
# Authentication management
login   auth required   /usr/lib/security/$ISA/pam_unix.so.1
login   auth required   /usr/lib/security/$ISA/pam_dial_auth.so.1
rlogin  auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin  auth required   /usr/lib/security/$ISA/pam_unix.so.1
dtlogin auth required   /usr/lib/security/$ISA/pam_unix.so.1
rsh     auth required   /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other   auth required   /usr/lib/security/$ISA/pam_unix.so.1
# Account management
login   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
login   account required        /usr/lib/security/$ISA/pam_unix.so.1
dtlogin account requisite       /usr/lib/security/$ISA/pam_roles.so.1
dtlogin account required        /usr/lib/security/$ISA/pam_unix.so.1
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
other   account required        /usr/lib/security/$ISA/pam_unix.so.1
# Session management
other   session required        /usr/lib/security/$ISA/pam_unix.so.1
# Password management

other   password required       /usr/lib/security/$ISA/pam_unix.so.1
other  password required        /usr/lib/security/$ISA/pam_sso.so.1
dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1

# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#login  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin        auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#other  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#dtlogin        account optional /usr/lib/security/$ISA/pam_krb5.so.1
#other  account optional /usr/lib/security/$ISA/pam_krb5.so.1
#other  session optional /usr/lib/security/$ISA/pam_krb5.so.1
#other  password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass