How to do NIS Password Synchronization on R2
Setting up Password Synchronization between
Windows AD and Unix for Centrify
All Domain Controllers are Windows 2003 R2.
A) On all machines using centrify please follow the below steps:
1) These below steps needs to be done
Enable IDMFU:
To install Password Synchronization
• Click Start, click Control Panel, and then click Add or Remove Programs.
• Click Add/Remove Windows Components.
• When the Windows Components Wizard opens, fill the Active Directory Services check box.
• With Active Directory Services highlighted, click Details.
• When the Active Directory Services dialog box opens, fill the Identity Management for UNIX check box.
• With Identity Management for UNIX highlighted, click Details.
• When the Identity Management for UNIX dialog box opens, verify that Administration Components, Password Synchronisation and Server for NIS are all checked. NOTE: Although the NIS Server will not be used, installation of it enables you to set the “NIS Domain” for a user in ADUC, which the Password Synch tool needs enabled to make it synch a user’s password.
• Click OK.
• The Windows Components Wizard begins installing the Identity Management for UNIX components you selected.
• If you are prompted to locate files required for Password Synchronization installation, insert the correct Windows Server 2003 R2 product CD, or browse to the network location of your Windows Server 2003 R2 installation files.
[pic]
2) Enable password sync:
Next, enable the Password Sync in the Microsoft Identity Management for Unix console.
Start Menu -> All Programs -> Identity Management for Unix -> Microsoft Identity Management for UNIX. Right click on Password Synchronization and select “Properties”
Click the “Configuration” tab.
[pic]
Check the “Enable Windows to NIS (AD) Password Sync” box.
The system will ask to scan all the domain controllers, go ahead and confirm.
You might also want to check “Enable Extensive Logging” until everything is proven to be working OK.
After enabling the Windows to NIS Password Sync, check the Application Log in Event viewer for any events under the “NT to Unix Password Sync Service”. You may find an event ID 16386, below:
[pic]
If this event has appeared, you need to change the Encryption/Decryption key in the Identity Management for Unix | Password Synchronization Properties – click on “New Key” and a different key will be generated. Note this error will stop the Password Synchronization from working until resolved.
[pic]
3) Make sure we can read unixUserPassword
• By default, Microsoft’s Active Directory security permissions prevent anyone from reading this value
• The solution is to allow the servers which are running adnisd to read this value
• unixUserPassword is part of a set of attributes on the User security ACL, named “All Extended Rights”
• This has to be applied to all containers and organizational units which contain Active Directory User objects
Create a new AD Group object in an appropriate container or OU in Active Directory
• For example, if you have “OU=Unix Computers,DC=Account,DC=Demo”, this would be a great place for a Group named “NIS Servers”
Modify the Group
• Add the Computer objects to the Active Directory Group
• Only servers running adnisd need to be added to this Group
• For each organizational unit or container which contains Active Directory User objects
• Right-click the object and select “Properties”
• Select the Security tab
• Press “Advanced”
• Press the “Add” button
• Type the name of the new Active Directory Group
• Press “Check Names”
• Press “OK”
• On the “Apply onto” drop-down, select “User Objects”
• Next to “All Extended Rights”, check the “Allow” checkbox
• Press OK several times
Note: this must be performed for each OU or container with User objects
[pic]
4) DirectControl admin console
For every zone, enable agentless mode and select unixUserPassword.
[pic]
Next you must force a password change for the user “informix” so that password hash is written to the unixUserPassword attribute and available to the Centrify. You can do this with “Reset Password” in ADUC.
Once the above steps are done, please work with your DBA to verify if unixuserpassword attribute has the password hash.
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- how to do percentage on a calculator
- how to do a checklist on excel
- how to do a spreadsheet on computer
- how to do on a calculator
- how to turn off password on startup
- how to find wifi password on computer
- how to do on calculator
- how to do standard deviation on calculator
- how to do matrix on calculator
- how to do fractions on a calculator
- how to do sec on a calculator
- how to turn off password on pc