|
|
Darren New wrote:
> For example, when I can unplug a USB drive off one Unix system and plug
> it into a different one and Fred (uid 1002) can't get to Jane's files
> (also uid 1002) on the USB drive, I'll be pleasantly surprised. Is there
> anything already in Linux or whatever to make that work?
Windows does this by assigning to every PC and every domain a large
random number which is hopefully "unique". Every user account created on
a specific PC has that PC's number as part of the account number.
Similarly, every domain user account has the domain number as part of
the account number.
If, by some freak of nature, two machines had the same ID, you could
indeed to weird stuff like what you're suggesting. It's just rather
unlikely. (Cloning a harddrive image and forgetting to randomise the ID
afterwards is about the only way...)
> Does the Linux equivalent of "active directory" (which was Kerberos last
> I looked) interact with the local file system well?
Last I checked, Active Directory uses the (pre-existing) Kerberos
network protocol for authentication.
As I understand it, Kerberos defines the wire protocol for how an
arbitrary client connects to an arbitrary server and authenticates
itself. What kind of security model you build using this is completely
up to you.
In the case of MS, they built the domain model. [Or, more exactly, took
their existing domain model and replaced the horribly broken LANMAN
subsystem with Kerberos.]
Kerberos says nothing about what happens on the local machine. The MS
domain security model does.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|