• Mailing Lists
• Virus
• NetTools
• Software
• Home

Integrating Microsoft SFU with AIX

 Background

The original idea of this small package came to me when I tried to integrate the "ssod" daemon, part of Microsoft's SFU package, with AIX systems.

The purpose of "ssod" is to synchronize users passwords on AIX with passwords stored in Microsoft's Active Directory. "ssod" works with many Unix flavours (HP-UX, AIX, Solaris...").

But this tool does not handle password aging on Unix side !.

I wrote the aix_sso package to sove this problem and offer the password aging capability to AIX systems which use NIS maps !

Bug notice:

there is a bug in the ssod daemon distributed by Microsoft with the SFU (3.5) ! The daemon infinitely loops and may fill-up the log file partition if your "password" file contains blank lines or lines starting with a '#' (comment lines). You must apply the following change and recompile the daemon. In password.cpp file, place comments around line 215: /* if (ferror(fpTmpPasswordFile)) */ I sent a bug report to Microsoft... and never got any answer...

 Technical Details

As described on the diagram below, each time a user change its password under Windows, the change is forwarded to the "ssod" daemon. Then ,this daemon regenerates the 'passwd' NIS map.

The idea is to add a new command in the Makefile that generates the map to update a new file that contain the password aging information on the AIX server.
Now, just add a daily cron job to start a command (here: pwlock, which is part of aix_sso package) that will parse the password aging information file and will lock accounts which password has expired !

This tool is absolutely secure in the sense that the real encrypted password is not deleted. A small prefix is just added in front of it.

The two commands pwaging and pwlock are configured via a small configuration file called pwaging.conf.

You can download the package [MD5 checksum: 88d84f9699b41b2564e35eff9aa03d72]

Synopsis of aix_sso tools: