When Centrify adnisd is being used for NIS password sync, user accounts have "!" in the password field instead of the password hash:
ypmatch sumana passwd
"!" in the password field in turn prevents unixUserPassword to be read from Active Directory.
Under Windows 2003 R2, the password hash of the user’s Active Directory password is stored in a new attribute, unixUserPassword.
Microsoft’s Active Directory security permissions by default prevents anyone from reading this value.
This can be verified by running the following ldapsearch command on the Unix server where adnisd is installed as root:
/usr/share/centrifydc/bin/ldapsearch -H "ldap://" -m -LLL -b "dc=mydomain,dc=com" "(cn=sumana)" canonicalname altpasswordhash mssfu30password unixuserpassword
Note: In the above command, replace the searchbase "dc=mydomain,dc=com" and username (cn=sumana) as appropriate.
Allow the servers running adnisd to read this value. unixUserPassword is part of a set of attributes on the User Security ACL named "All Extended Rights".
This has to be applied to all containers and organizational units which contain Active Directory User objects:
- Create a new AD group object in an appropriate container or OU.
(For example, an AD group named "NIS Servers" could be placed in "OU=Unix Computers,DC=mydomain,DC=com".)
- Add the servers running adnisd into this group
- For each organizational unit or container which contains AD User objects:
- Restart adclient and adnisd
As AD permissions have changed, adclient and adnisd needs to be restarted on all servers running adnisd:
- Flush the cache: adflush
- Stop adnisd: /etc/init.d/adnisd stop
- Start adclient: /etc/init.d/adclient restart
- Start adnisd: /etc/init.d/adnisd start -f
- Run the ldapsearch command again to see if unixUserPassword now comes back with the password hash.
Once it returns the expected password hash, ypmatch for the user should also return the password hash.
- The "Password Synchronization" service must be enabled on ALL domain controllers in a domain.
- After installation, the Encryption/Decryption key must be reset from the default value in order to enable synchronization. This key is not used by DirectControl and need not be remembered.
- If "Identity Management for UNIX" or "Services for Unix (SFU)" are just installed then a password change must be forced on the users so that their passwords are written to the unixUserPassword attribute and thus become available to the Centrify NIS Gateway. This can be done with the “Reset Password” in ADUC.
Check in the Event Viewer for a record of the password changes, afterwards check with ADSI Edit that the unixUserPassword attributes now has a value for the users.
- If the Windows 2003 server running SFU has been upgraded to Windows 2003 R2 and values exist in both mssfu30password and unixUserPassword attributes then R2 attribute "unixUserPassword" takes precedence.
- If running Windows 2008 R2 then the fix for this is described in the Microsoft KB Article 817433: http://support.microsoft.com/kb/817433