How do admins maintain user accounts across hundreds of linux servers?

Solution 1:

One central component of Active Directory is LDAP, which is available on Linux in the form of OpenLDAP and 389DS (and some others). Also, the other major component Kerberos is available in the form of MIT Kerberos and Heimdal. Finally, you can even connect your machines to AD.

Solution 2:

You can try with puppet for managing user:

Why Use Puppet to Manage User Accounts? (and not NIS, LDAP, etc)

One of the benefits to managing user accounts in puppet is the fact that it is decentralized. Each user account is just a normal user account on the managed server. There is nothing special about the user accounts puppet creates other than the fact they were created by puppet and not by a human administrator. The nice thing about this is that if the main host dies, we do not lose authentication. Which means that our puppetmaster server (or NIS/LDAP server) need not have any special uptime requirements. If an emergency happens, we can focus on getting our production servers up, and focus on getting the puppetmaster up on an “as needed” basis. The downside to this is that puppet is not necessarily really designed to manage “normal” login user accounts (as opposed to system accounts). The biggest way this comes up is that, although you can set the password in puppet, puppet continually monitors system settings (good) and if it notices that the password has changed, will reset it. (bad) I do not want to monitor user passwords on our network, so there needs to be a way to set a password and have puppet stop monitoring this password. Fortunately, once you figure out the trick, this is actually really quite easy. But first, let’s get some definitions out of the way.

http://docs.puppetlabs.com/pe/2.5/console_auth.html


Solution 3:

As SvenW mentions, there is 389DS and Kerberos. Since RHEL 6.2, Red Hat have included IPA in the distribution (and thus is in CentOS too). This is a full identity management suite which incorporates 389DS and Kerberos, with policy based control over authentication and authorization, and optionally DNS. It can even be configured for one-way or two-way sync with Active Directory.

IPA pretty much requires SSSD on RHEL hosts but it works without it. I've even tested connecting Solaris 10 to IPA (works, but a bit fiddly). IPA is pretty straightforward to setup for RHEL hosts.

This is based on the FreeIPA project.