active-directorylinuxnfs4redhatsssd
I'm trying to configure a Redhat 6.x server for Authorization and Authentication to Active Directory (AD) via SSSD- after joining the server I'm able to login with any valid domain credentials.
How do I restrict access to 1 or many AD groups?
Is this set by the access_provider attribute? It's currently set to "ad" – how do I set user permissions?
Will this work for NFSv4 Shares which will be hosted? And accessible both both Windows or Linux?
Assuming the groups are available to the Linux system, I recommend editing /etc/security/access.conf for Ubuntu, RedHat distributions (and their forks) and probably a bunch of others. This doesn't require editing PAM files, and is a nicely standard place to do it. There are usually examples in the file, commented out.
On your domain object, you need to assign the querying user the "Read MemberOf" right to User objects.
That should set it up so that the specified account can read the group memberships of all User accounts in the domain.
Best Answer
I think you're asking two different questions. One is who can log in to that machine and yes, by default that's controlled with the access_provider. Until the very recent versions, the access_provider=ad only checked for account expiration. With the recent versions, access_provider=ad can also evaluate group policies for access control.
Many users are OK with just using access_provider=simple, though with a simple ACL of permitted users and groups.
The second question is about accessing NFS shares, which I don't think is too related...the UIDs and GIDs the user has assigned control what files can they access, but mounting the shares is a completely different issue althogether (and I'm not well versed there, so I will leave this part to someone else..)