You can map local Unix user accounts to Active Directory users accounts. Local users retain all of their local Unix attributes such as UID Number and Login Shell, but they authenticate using their Active Directory password. Active Directory password policies are enforced. So you would login with user local username and the AD password. The AD account cannot be unix enabled for the mappeing to work.
1 - To configure a user mapping file run the following command as root to enable local map files:
/opt/quest/bin/vastool configure vas vas_auth user-map-files /etc/user-map
2 - Add user mappings to the map file. The format is local name:samaccountname@domain
For example, if you want to map a local user named jdoe to the Active Directory account for firstname.lastname@example.org, add the following line to the file you specified above it step 1:
3 - We suggest using custom prompts so the user knows what to enter. You can set these up by doing the following commands:
/opt/quest/bin/vastool configure vas pam_vas prompt-local-pw "Enter password for local user %s:"
/opt/quest/bin/vastool configure vas pam_vas prompt-vas-ad-pw "Enter password for your AD account :"
4 - You must use the local user and the AD password when the AD account is not unix enabled.
5 - To configure access control for a mapped user, the AD account that is being authenticated against needs to be added to the users.allow or users.deny file. The local account name that the user is logging in with can not be used for this purpose.