We help IT Professionals succeed at work.

Windows Identity Manager for Unix Issue

We have a Redhat enterprise 5.8 system and windows 2008r2
we have the Microsoft Identity Manager for Unix installed and configured.
We have a test redhat system with users already populated.
We are using MD5 and shadow passwords.
The Identity Manager for Windows under the NIS is set for MD5 also
We have verified the Enryption keys and have configured the sso.conf to match as:
  Use Shadows=1 with the proper folder for the /etc/shadow file
NIS is off
I restart the ssod and verify it is running
We change a password on the Windows side, the Windows application log says it was changed and passed to the Unix side
The logs on the unix side say it was successfully changed but we still cannot log in.
I manually change the password on the unix side and I can log in fine.

Any idea what I could be doing wrong?
Watch Question

Top Expert 2015
I do use samba-winbind for authentication and authorisation. No need to modify AD for example...
I used Kerberos, works like a champ.  The only caveat was to use all capital letters in the realm and domain names.
Thanks for the suggestion to use something other than Microsoft Identity Manager for Unix.  It proved not to work because in v5.8 the MD5 encryption was not compatible with MS.
Top Expert 2015

MD5 is too weak in face of GPU computing. You will need to get rid of it fairly soon...
Upgrade redhat to 5U11 to fix imminint security issues.
You need to put together ubuntu winbindd guide with redhat authconfig guide, and i think you will be all set quickly.


Would def do that but the owner of the company wont spring for the Redhat subscription so we are stuck with what is already on the system.
Top Expert 2015

You can convert to centos or oracle linux (with their agreement) as there is dead black hole in samba and you need to patch it before trying winbind


Gheist suggested an alternative method which would work.
Top Expert 2015

make config files from ubuntu guide
join domain as domain admin
once wbinfo -t works you can use authonfig to add all AD users as system users, or e.g. use winbind for squid or apache authentication. SSo takes more effort, but it works too once you get protocol versions/types right