Install the pluggable authentication module (PAM) on AIX
Applies To: Windows Server 2003 R2
To install the pluggable authentication module (PAM) on AIX
Copy pam_sso.aix from IDMU\Unix\Bins on the Windows Server 2003 R2 CD to /usr/lib/ on the UNIX computer, and change its name to pam_sso.aix.1.
On the UNIX computer, log on as root, and then enter the following commands:
chown root /usr/lib/pam_sso.aix.1 chmod 555 /usr/lib/pam_sso.aix.1
If necessary, create the /etc/pam.conf file according to your network requirements, setting the owner to root and the base permissions to 644. For more information about creating the pam.conf file, see "Pluggable Authentication Modules" in System Management Guides: Security Guide in your AIX documentation.
Sample pam.conf file
# Authentication management OTHER auth required /usr/lib/security/pam_aix # Account management OTHER account required /usr/lib/security/pam_aix # Session management OTHER session required /usr/lib/security/pam_aix
Open /etc/pam.conf with a text editor.
In the Password management section, add the following line:
passwd password required /usr/lib/security/pam_sso.aix.1
Sample pam.conf file with this line added
# Authentication management OTHER auth required /usr/lib/security/pam_aix # Account management OTHER account required /usr/lib/security/pam_aix # Session management OTHER session required /usr/lib/security/pam_aix # Password management passwd password required /usr/lib/security/pam_sso.aix.1
Open /usr/lib/security/methods.cfg with a text editor and add the following lines at the end of the file:
PAM: program = /usr/lib/security/PAM
PAMfiles: options = auth=PAM,db=BUILTIN
Open /etc/security/user with a text editor and add authentication information for the specific users whose passwords you want to synchronize. For example:
user1: admin = false SYSTEM = PAMfiles[*] AND "compat" registry = PAMfiles
Note
You can choose to change the default section of /etc/security/user to allow all users to synchronize their passwords. In this case, to restrict access to Password Synchronization, you can use the SYNC_USERS attribute in the /etc/sso.conf file to restrict access. For more information, see Using sso.conf to configure Password Synchronization on the UNIX computer. To disable UNIX-to-Windows password synchronization, remove the entry in /etc/pam.conf that you added in step 5.
See Also
Concepts
Understanding Password Synchronization
Implementing Password Synchronization