[CentOS] Restricting physical login access to specific nodes using PAM / NSS / SMB4 AD/DC

Mon Nov 3 06:42:35 UTC 2014
Arun Khan <knura9 at gmail.com>

I am using SSSD to get user AUTH from a backend Samba4 AD/DC.

For Linux clients sssd.conf is configured to query Samba4 AD based on
LDAP/Kerberos i.e. the Linux clients have not done a Domain join.
Physical console logins -- things are working fine with changes to NSS
and PAM (tool authconfig) for domain User AUTH on Linux and Windows
clients.

However, I want to restrict access to certain machines to users of a
specific group e.g. HR.  I guess this is possible on Windows clients
with group policies.
Is the same possible on CentOS (Linux) workstations.

TIA,
-- 
Arun Khan