On Tue, 2004-05-11 at 19:48, Ronny Buchmann wrote: > On Tuesday 11 May 2004 18:10, you wrote: > > On Tue, 2004-05-11 at 10:26, Chris Ricker wrote: > > > I'm well aware of how it works. I'm also aware that it doesn't solve the > > > problem of wanting to work disconnected. Kerberos ticket caching still > > > requires initial connectivity. It also does nothing for LDAP, NIS, etc. > > > You'd need a totally new ad-hoc caching mechanism above and beyond the > > > krb ticket cache, and I don't think it would turn out to be something any > > > sane organization would want.... Local accounts, OTOH, are an access > > > control mechanism that is at least well-understood, which is why our > > > standard is to fall back to them if distributed is unavailable. > > > > What does Windows do for laptops? > Windows does caching. > > 1. login on network (domain login) > 2. authentication information (user/password(hash?) is cached) > 3. logout > 4. timespan of length x > 5. disconnect > 5. login at domain (against cached auth info) > > So in short, if you once were logged in, you can login at (any?) later time > without network (AFAIK this needs to be enabled somewhere, it's not default). >From what I've seen I think Windows defaults to caching (but this is just guessing from what I've seen, not claiming to know :) Anyway it's not laptop specific: you have any workstation authenticating from a domain, pull out the network cable and you're still able to log in if you have previously logged in to that particular system. IIRC it also cache's account and password expiration times so you can't just endlessly keep logging into a system just by keeping it out of the network. I wrote a "pam_cache" module as an quick experiment a couple of years ago which grabs the essential user+auth information from LDAP when you login while connected to the network, rewrites the info to /etc/passwd & friends and thus keeps the accounts more-or-less in sync. It sorta worked but boy it was ugly :) PADL has started some work towards this: http://www.padl.com/OSS/pam_ccreds.html and http://www.padl.com/OSS/nss_updatedb.html However the way it currently works is that it dumps the whole contents of user and group information from a directory to the local disk, which isn't really acceptable with tens of thousands of users and groups... - Panu - - Panu -
