Samba PDC/BDC

Ben Scott dragonhawk at gmail.com
Mon Jan 16 13:30:20 EST 2006


On 1/16/06, klussier at comcast.net <klussier at comcast.net> wrote:
> If the Windows client can't find it's authentication point, it creates a
> temprary profile on the system to allow login and deletes the profile when
> the user logs off (I hate myself for knowing this...).

  What you are describing are roaming user profiles, which are only
slightly related to authentication.

  When a user attempts to log on to a domain, the domain member
(client) will attempt to find a DC for the domain.  If a DC cannot be
found, the client will check to see if it has "cached credentials"
from a previous logon to that machine.  If so, the user will be logged
in using those cached credentials.  Otherwise, the logon will fail.

  Roaming profiles are unrelated to that, except that the DC informs
the client of the network location of the "master copy" (my term) of
the user profile.  (I'm told you can even set this without a domain at
all, although I've never gotten it to work right.)  When a roaming
profile location exists, the client will attempt to access the network
copy of the profile.  Assume it succeeds, it will be copied to the
local machine, and used for the user's logon session.  On logoff,
changes are synchronized with the network again.

  If the network profile ("master copy") is *NOT* available, behavior
depends on history.  If the user has never logged on to the client
before, the behavior will be as you describe: A temporary profile is
created at logon, and discarded at logoff.  If the user has logged on
before, a (possibly very old) copy of their profile will already exist
locally.  The client will use that instead.  (This makes for confusion
when someone gets an old copy of their user profile due to a
combination of network unavailability and workstation sharing.)

  This doesn't even consider client folder redirection or offline
files, which introduce their own truckloads of worms.

> SSO is the act of providing a single username/password (or whatever the credentials
> method is) once for access to anything during any given logon session.

  I've encountered two usages for the term "SSO".  One is your usage:
"The user signs on once, and everything else derives from that."  The
other usage is, "The user has one sign-on [set of credentials], which
they use everywhere.  However, they may be asked to enter those same
credentials more then once."

  I'm not interested in debating the "correctness" of a particular
usage; just pointing out that there are two usages.

-- Ben "Knows too much about Windows" Scott



More information about the gnhlug-discuss mailing list