[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: systematic Kerberization



On Tue, 11 May 2004, Havoc Pennington wrote:

> On Tue, 2004-05-11 at 10:26, Chris Ricker wrote:
> > I'm well aware of how it works. I'm also aware that it doesn't solve the
> > problem of wanting to work disconnected. Kerberos ticket caching still
> > requires initial connectivity. It also does nothing for LDAP, NIS, etc.
> > You'd need a totally new ad-hoc caching mechanism above and beyond the krb
> > ticket cache, and I don't think it would turn out to be something any sane
> > organization would want.... Local accounts, OTOH, are an access control
> > mechanism that is at least well-understood, which is why our standard is to
> > fall back to them if distributed is unavailable.
> 
> What does Windows do for laptops?

By default, domain accounts are cached locally, so that once you've logged
into a machine joined to the domain as a specific user, you can in the
future log in as that domain user to that machine using the cached password
even when disconnected. This caching of domain accounts can be disabled
through a registry edit, and various aspects of the caching can be
configured through the registry as well.

Also, it's always possible to select the local computer and log into that,
rather than into the domain.

later,
chris



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]