[CentOS] Restricting physical login access to specific nodes using PAM / NSS / SMB4 AD/DC

Mon Nov 3 07:04:39 UTC 2014
Barry Brimer <lists at brimer.org>

> I am using SSSD to get user AUTH from a backend Samba4 AD/DC.
>
> For Linux clients sssd.conf is configured to query Samba4 AD based on
> LDAP/Kerberos i.e. the Linux clients have not done a Domain join.
> Physical console logins -- things are working fine with changes to NSS
> and PAM (tool authconfig) for domain User AUTH on Linux and Windows
> clients.
>
> However, I want to restrict access to certain machines to users of a
> specific group e.g. HR.  I guess this is possible on Windows clients
> with group policies.
> Is the same possible on CentOS (Linux) workstations.

I am not familiar with the inner workings of SSSD, but with pam_listfile 
you can specify users or groups that must be met for pam to succeed.