-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Andersen wrote:
On Tue, Apr 15, 2008 at 11:08 AM, James Lunardi
wrote: John -> Let me reword "I'm able to login with my windows username and password. My problem is, anyone with a domain user account can login to the server...
Rewording yet again, did you mean to say" anyone with a domain user account can log in to the LAPTOP? (one would hope that AD would allow anyone with credentials to log into the server).
If so, isn't that by design? Isn't that what AD is all about? Roving profiles et al?
Once they do log in, do they have access to your private files on the laptop?
I wish it was quite as simple as that... in its original incarnation AD and Domain Services tended to associate accounts with workstations and creating 'hot desk' style environments proved to be more than a bit of a challenge. Domain Services roaming profiles never worked well and I understand the AD equivalent is still a little flaky at times. For a windows client in most cases a temporary account was created on the workstation on login and (ideally) removed at logout. As far as I am aware the AD login on Linux does not work this way. The local connecting account has to be defined on the connecting machine and is mapped to an AD account (assuming the machine is using AD to supply authentication and cifs or smbfs to connect to server resources). While one can register the machine into the directory so one could set up the relevant policies, AFAIK samba does not provide this kind of dynamic account creating facility on a linux client. How this is configured is rather dependant on whether one is using Kerberos or OpenLDAP to connect to AD. It should be possible to limit who can login as what from the client. The links below may be useful http://www.wlug.org.nz/ActiveDirectorySamba http://wiki.samba.org/index.php/Samba_&_Active_Directory http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domai... What is puzzling me with this query the OP is indicating that someone who does not have a locally defined account is able to login to the machine. (After they are logged in, one can connect to a Windows Server as whoever you like which is a different problem). - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFIBcOBasN0sSnLmgIRAudKAJ4tuaWXYH2E2HqJo+5BYyoM4Qvb6wCgtKnQ lZR5wTjZKxfdTCZKsYaSunE= =B1Zg -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org