I would like to know how to configure PAM to authenticate against a AD Domain. And understand how it works. After adding a user and logging on with that user via putty and successfully authenticating against a domain does it store that password locally some place? If the domain is unavailable for some reason and you logon with that same account will it log you on successfully because it stored the password locally? Is there a service that you can stop and start if you run into authentication issues?

Pete

Hello,

Refer to http://www.astroarch.com/wiki/index.php/Remote_Authentication for two methods (Winbind and LDAP-S) to authenticate against AD. Depending on how far you want to go with this there are several places at which you could stop. Note on the 'winbind' method there is not actually a need to install new RPMs but it will help in the long run. LDAP-S manuscript came from Steve Beaver.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Here is VMware's recommended way to authenticate to AD.

http://www.vmware.com/resources/techresources/582

Hello,

The difference between the LDAPS/Winbind methods and the VMware Method is the nature of management of the accounts on the ESX server. On the one hand you have the winbind method, which allows you to manage accounts using AD but does require a good pam_access implementation to support the AD groups to which you want to grant access and deny all else. While the VMware Method requires Local user accounts. For small installations (and small is truly subjective) either way works quite well. But for larger installations (again a subjective term), you may want to use one of the other methods as management of accounts as people enter and leave a group, organization, etc can become an issue.

A little due diligence will go a long way in this one. Either way you choose to go make sure you have some documentation about how to manage the security of the approach. Including a checklist to follow when adding or removing an account.

Also depending on patches from VMware, things could change, never seen it yet, but it is also something to consider when testing your patches.

The Last two items apply to any authentication scheme you choose to use.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization