In their latest release Centrify has added some restrictions to their, up until now, great product. Changes are listed here http://www.centrify.com/express/changes-centrify-express-unix-linux.asp where they state this.
Centrify Express for UNIX/Linux and Centrify Express for Mac no longer support access controls. We made this change to clearly delineate between the intended premium versus free features.
While I do understand why they have done that I have had to find a way to limit login rights for Active Directory users. First you will have to edit
/etc/security/access.conf file and add to bottom
+ : linux_admins : ALL
+ : linux_users : ALL
+ : josip: ALL
- : ALL : ALL
As you can see we are adding here list of users and groups that will have login permissions on Linux box.
linux_users are Active Directory groups, while
josip is my local user. You can add here local groups aswell. At the end we deny everyone else login permissions.
/etc/pam.d/common-auth and add at the top this line
auth required pam_access.so
It is important that this line should be at the top, atleast above lines that are added by Centrify installer. You should end up with something like this.
I assume you will want to add some AD users to have sudo privileges. Open
visudo and add this line
%linux_admins ALL=(ALL:ALL) ALL
This will grant
DOMAIN\linux_admins group sudo privileges.
I have tested this on Ubuntu 14.04 LTS, one would assume that on other distros similar setup should work. Enjoy your Centrify Express enabled machine.