Synching Passwords with NDS for NT
Novell Cool Solutions: Tip
By Jason Blackett
Digg This -
Posted: 31 Aug 1999
From the comments we've seen in the NDS Cool Solutions mailbox, the Novell Technical Support forums, and billboards on the sides of buses, it's fair to say that unraveling password synchronization on NDS for NT is (in some cases) about as easy as trying to see through a cement wall with your eyes closed. So, we concoted this tip to bring all the info together and make your life with passwords on NDS for NT as easy and smooth as it was in the demo you saw. Read on for all the scoops.
Unfortunately, due to the differences in the way the NDS password is encrypted and the way the Domain password is encrypted it's impossible for the Domain Object Wizard to synchronize the password during the domain object migration. With the NDS for NT 2.01, the Domain Object Wizard utility provides a checkbox that lets you force password expiration. By checking this box, all users who are migrated to NDS will have their NT and NDS passwords set to "Change at next login". This means that once the user logs into the domain or NDS, the user will be prompted to change his or her password, and from then on out the passwords will be kept in sync using the methods described below.
Changing the Password using Microsoft Tools
When a password is changed using the Microsoft tools, a request is made to the domain controller to change the password. At the user's workstation a clear text password is entered, encrypted on the wire, and then returned to clear text on the NT server. Once the clear text password is available on the server the Novell Security Accounts Manager (SAMSRV.DLL) makes a request to NDS to change both the NT and the NDS password using the same clear text password. This password is stored in two NDS attributes and then encrypted in the native formats (RSA for NT and MD4 for the Domain password, which is then encrypted in RSA). Once the password change is successful a message is sent back to the user.
Changing the Password using Novell Tools
When a password is changed using a Novell tool on Windows 95/98 running the Novell Client v3.1 or higher, or on Windows NT 4.0 running the version 4.6 or higher of the Novell Client, the password change for both the domain and NDS is handled by the Novell Client libraries. When the change is requested, the user enters a clear text password, and then clicks OK. When the password is sent, the Client checks to see if Force Password Sync is enabled, and if it is, the Client sends both an NDS password and the same Domain password to be stored in NT. In this manner, all changes made to the NDS password effect both passwords.
While it's pretty simple, keep the following things in mind to avoid all the pitfalls:
- If you're using any Client older than the Windows NT Client v 4.51 or the Windows 95/98 Client v3.0, the password changes from Novell will not be synchronized because the necessary Client libraries do not exist.
- If you're using NDS for NT 1.x, NDS for NT will not perform NDS synchronization.
- If the PDC of the domain is down, it is impossible to change either the NT or the NDS password through Microsoft Windows NT tools, such as User Manager.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com