I'd like to know if anyone here authenticates their servers against active directory? I did this a couple of years ago, but never rolled it out to my servers for a few reasons.

Now I'm thinking of this again, but the main thing I'd really like to know is how stable and maintainable this is across lots of servers and through upgrades. I've noticed that when there are upgrades, occasionally pam files are changed/upgraded. Since this generally relies on you fiddling the pam stacks I figure that sooner or later this brittle solution will snap in an upgrade, locking people out of the server.

I suspect that the main problem is that most people do not change pams and therefore there is included user-defined stack that is kept referenced through rolling upgrades...

Does anyone have an experience with how stable it is to authenicate lots of servers against AD for single-sign-on?