This section contains instructions on installing the pluggable authentication module (PAM) on computers running any of the following four UNIX-based operating system families:
To install the pluggable authentication module (PAM) on AIX
Perform the following steps to install the PAM on computers running IBM AIX.
To install the PAM on AIX |
Copy the file pam_sso.aix from \Unix\Bins on the Windows Server® 2008 R2 product disc to /usr/lib/ on the computer running IBM AIX.
Change the file name to pam_sso.aix.1.
On the computer running AIX, log on as root, and then run the following command:
chown root /usr/lib/pam_sso.aix.1 chmod 555 /usr/lib/pam_sso.aix.1
If necessary, create the /etc/pam.conf file according to your network requirements, setting the owner to root and the base permissions to 644. For more information about creating the pam.conf file, see "Pluggable Authentication Modules" in System Management Guides: Security Guide in your AIX documentation.
The following is a sample pam.conf file
# # Authentication management # OTHER auth required /usr/lib/security/pam_aix # # Account management # OTHER account required /usr/lib/security/pam_aix # # Session management # OTHER session required /usr/lib/security/pam_aix
Open /etc/pam.conf by using a text editor.
In the Password management section, add the following line:
passwd password required /usr/lib/security/pam_sso.aix.1
The following is a sample pam.conf file with this line added.
# # Authentication management # OTHER auth required /usr/lib/security/pam_aix # # Account management # OTHER account required /usr/lib/security/pam_aix # # Session management # OTHER session required /usr/lib/security/pam_aix # # Password management # passwd password required /usr/lib/security/pam_sso.aix.1
Open /usr/lib/security/methods.cfg by using a text editor, and add the following lines at the end of the file:
PAM: program = /usr/lib/security/PAM
PAMfiles: options = auth=PAM,db=BUILTIN
Open /etc/security/user with a text editor and add authentication information for the specific users whose passwords you want to synchronize. For example:
user1: admin = false SYSTEM = PAMfiles[*] AND "compat" registry = PAMfiles
Note | |
You can choose to change the default section of /etc/security/user to allow all users to synchronize their passwords. In this case, to restrict access to Password Synchronization, you can use the SYNC_USERS attribute in the /etc/sso.conf file to restrict access. For more information, see Use sso.conf to configure Password Synchronization on UNIX-based computers. To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 6. |
To install the pluggable authentication module (PAM) on HP-UX
Perform the following steps to install the PAM on computers running Hewlett-Packard HP-UX.
To install the PAM on HP-UX |
Copy pam_sso.hpx from \Unix\Bins on the Windows Server 2008 R2 product disc to /usr/lib/security on the UNIX computer.
Change the file name to pam_sso.hp.1, and then set its file-mode bits to 544.
Note The file-mode bits for pam_sso.hp.1 must be set to 544 (o:r-x,g:r--,w:r--) or it will not function properly.
On the computer running HP-UX, open /etc/pam.conf by using a text editor.
In the Password management section, locate the following line:
other password required /usr/lib/security/libpam_unix.1
Immediately after the line located in the previous step, add the following line:
other password required /usr/lib/security/pam_sso.hp.1
Note | |
To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 5. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer. |
Sample HP-UX PAM configuration file
The following file samples show a typical configuration. Actual contents of these files may vary, depending on your system configuration.
# # PAM configuration # # Authentication management # login auth required /usr/lib/security/libpam_unix.1 su auth required /usr/lib/security/libpam_unix.1 dtlogin auth required /usr/lib/security/libpam_unix.1 dtaction auth required /usr/lib/security/libpam_unix.1 ftp auth required /usr/lib/security/libpam_unix.1 OTHER auth required /usr/lib/security/libpam_unix.1 # # Account management # login account required /usr/lib/security/libpam_unix.1 su account required /usr/lib/security/libpam_unix.1 dtlogin account required /usr/lib/security/libpam_unix.1 dtaction account required /usr/lib/security/libpam_unix.1 ftp account required /usr/lib/security/libpam_unix.1 # OTHER account required /usr/lib/security/libpam_unix.1 # # Session management # login session required /usr/lib/security/libpam_unix.1 dtlogin session required /usr/lib/security/libpam_unix.1 dtaction session required /usr/lib/security/libpam_unix.1 OTHER session required /usr/lib/security/libpam_unix.1 # # Password management # login password required /usr/lib/security/libpam_unix.1 dtlogin password required /usr/lib/security/libpam_unix.1 dtaction password required /usr/lib/security/libpam_unix.1 other password required /usr/lib/security/libpam_unix.1 other password required /usr/lib/security/pam_sso.hp.1
To install the pluggable authentication module (PAM) on Linux
Perform the following steps to install the PAM on computers running Linux.
To install the PAM on Linux |
Copy pam_sso.rhl from \Unix\Bins on the Windows Server 2008 R2 product disc to /lib/security on the UNIX computer, and change its name to pam_sso.so.1.
On the UNIX computer, copy /etc/pam.d/system-auth to /etc/pam.d/ssod.
Open /etc/pam.d/system-auth with a text editor, and locate the following line:
password…..required…../lib/security/pam_cracklib.so…..retry=3
After the line in the previous step, add the following line:
password required /lib/security/pam_sso.so.1
Locate and delete the following line:
Password required /lib/security/pam_deny.so
Save the modified file.
Note | |
These instructions apply to the typical Linux configuration. If you have configured PAM support differently, you might have to adjust these instructions to your specific configuration. To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.d/system-auth that you added in step 4. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer. |
Sample Linux PAM configuration file
The following file samples show a typical configuration. Actual contents of these files may vary, depending on your system configuration.
/etc/pam.d/passwd #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth /etc/pam.d/ssod #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 type= password required /lib/security/pam_sso.so.1 password sufficient /lib/security/pam_unix.so nullok use_authtok shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so
To install the pluggable authentication module (PAM) on Solaris
Perform the following steps to install the PAM on computers running Sun Solaris.
To install the PAM on Solaris |
Copy pam_sso.sol from the \Unix\Bins folder on the Windows Server 2008 R2 product disc to the /usr/lib/security directory on the UNIX computer, and change its name to pam_sso.so.1.
On the UNIX computer, open /etc/pam.conf with a text editor.
In the Password management section, locate the following line:
other password required /usr/lib/security/$ISA/pam_unix.so.1
Immediately following the line located in the step 3, add the following line:
other password required /usr/lib/security/$ISA/pam_sso.so.1
Note | |
To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 4. Before installing the pam_sso module, make sure that PAM support is properly installed and configured on the UNIX computer. |
Sample Solaris PAM configuration file
The following file samples show a typical configuration. Actual contents of these files may vary, depending on your system configuration.
# #ident "@(#)pam.conf 1.14 99/09/16 SMI" # # Copyright (c) 1996-1999, Sun Microsystems, Inc. # All Rights Reserved. # # PAM configuration # # Authentication management # login auth required /usr/lib/security/$ISA/pam_unix.so.1 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 # rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 # dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 # rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 other auth required /usr/lib/security/$ISA/pam_unix.so.1 # # Account management # login account requisite /usr/lib/security/$ISA/pam_roles.so.1 login account required /usr/lib/security/$ISA/pam_unix.so.1 # dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 # other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required /usr/lib/security/$ISA/pam_unix.so.1 # # Session management # other session required /usr/lib/security/$ISA/pam_unix.so.1 # # Password management # other password required /usr/lib/security/$ISA/pam_unix.so.1 other password required /usr/lib/security/$ISA/pam_sso.so.1 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 #other account optional /usr/lib/security/$ISA/pam_krb5.so.1 #other session optional /usr/lib/security/$ISA/pam_krb5.so.1 #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass