So I have spent way to much time trying to get this to work. I got, what I thought, would be the hard part done easily, and that was simply being able to login to by linux box with an AD account. But my issue is account I setup the Unix attributes with in AD can login to my box. So I've been struggling with access control. I have sort of been focusing on using pam_access and using the /etc/security/access.conf file to control this, but no matter what I do it doesn't seam to be taking affect... Here are some of my configs that might show, hopefully something I am doing wrong.

=================
/etc/ldap.conf
=================
host 10.1.1.101
base dc=lab001,dc=local
uri ldap://swllabdc01.lab001.local
#binddn ldapbind@lab001.local
binddn CN=LDAPBIND,OU=Linux-Users,DC=LAB001,DC=local
bindpw xxxxxxxx
pam_groupdn CN=RHEL4Users,OU=Linux-Users,DC=LAB001,DC=local
pam_member_attribute memberUid
scope sub
ssl no
nss_base_passwd dc=lab001,dc=local?sub
nss_base_shadow dc=lab001,dc=local?sub
#nss_base_group dc=lab001,dc=local?sub?&(objectCategory=group)(gidnumber=*)
nss_base_group CN=RHEL4Users,OU=Linux-Users,DC=LAB001,DC=local?sub?&(objectCategory=group)(gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
pam_password md5
~

==================
/etc/krb5.conf
==================
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = LAB001.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
LAB001.LOCAL = {
kdc = SWLLABDC01.LAB001.LOCAL:88
admin_server = SWLLABDC01.LAB001.LOCAL:749
default_domain = LAB001.LOCAL
}

[domain_realm]
.lab001.local = LAB001.LOCAL
lab001.local = LAB001.LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
~

=====================
/etc/pam.d/system-auth
======================
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_krb5.so
auth required /lib/security/pam_deny.so

account sufficient /lib/security/pam_krb5.so
account required /lib/security/pam_unix.so
account sufficient /lib/security/pam_succeed_if.so uid < 100 quiet
account required /lib/security/pam_deny.so
#account required /lib/security/pam_access.so
account [default=bad success=ok user_unknown=ignore] /lib/security/pam_access.so

password requisite /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so

session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
~

====================
/etc/security/access.conf
=====================
+:root:ALL
#+:t1zdh:ALL
-:ALL:ALL


So I was testing with the t1zdh account which is a test account, trying to see if this would not allow that account to login. I even tried just doing -:ALL:ALL and I could still login so it doesn't look like its even being applied.

I'm sure I'm doing something horribly wrong so any help would be greatly appreciated.

Could you just set t1zdh's shell to /bin/false or /bin/nologin to achieve your desired effect?

I could but then he could not login into any server. I have 30 or so Active Directory users that need to login to a range of about 15 linux boxes. Some users will need access to 10 some will only need one. So what I was hoping for was to create Groups for each server and who ever is a member of that group could then login to that server...