This configuration parameter controls whether the password synchronization service keeps passwords synchronized for local users that are mapped to an Active Directory account.

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

If you set this parameter in the configuration file, the parameter value should be a list of local user accounts that are mapped to Active Directory accounts. For example:

pam.sync.mapuser: root oracle sanchez

If you set this parameter and a mapped user changes his password, PAM updates the password hash for the corresponding local UNIX account in the local /etc/shadow file so that the passwords match. Synchronizing the passwords in this way ensures that local users can still log on even if there are problems with the network, Active Directory, or the adclient process. For example, if Active Directory is not available, the mapped user can log on as a local user by appending @localhost to the user name:


Password synchronization requires you to do the following:

  • Install either the Centrify Password Synchronization component or the Microsoft Password Synchronization Service on all domain controllers.

    If you do not have the Microsoft Password Synchronization Service installed on your domain controllers, you can install and use the Centrify Password Synchronization extension instead. You can install the Centrify Password Synchronization extension when you install other Centrify Management Services using the setup program or by running the standalone password extension installation program.

  • Configure the zone properties for the computer’s zone to support agentless clients and to use the proper NIS domain name and Active Directory attribute for storing the user’s password hash.
  • Map the specified local users to Active Directory using either the pam.mapuser.username configuration parameter or group policy.
  • Verify the Active Directory user to which the local user is mapped has a profile in the zone you have configured for agentless authentication.

This parameter has no effect on Mac OS X systems.