Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual page 87

SUSE Linux Enterprise Server supports local home directories for AD users. If config-
ured through YaST as described in Section 5.3, "Configuring a Linux Client for Active
Directory" (page 74), user homes are created at the first login of a Windows (AD) user
into the Linux client. These home directories look and feel entirely the same as standard
Linux user home directories and work independently of the AD domain controller.
Using a local user home, it is possible to access a user's data on this machine, even
when the AD server is disconnected, if the Linux client has been configured to perform
offline authentication.
5.2.3 Offline Service and Policy Support
Users in a corporate environment must have the ability to become roaming users, for
example, to switch networks or even work disconnected for some time. To enable users
to log in to a disconnected machine, extensive caching was integrated into the winbind
daemon. The winbind daemon enforces password policies even in the offline state. It
tracks the number of failed login attempts and reacts according to the policies configured
in Active Directory. Offline support is disabled by default and must be explicitly enabled
in the YaST Domain Membership module.
As in Windows, when the domain controller has become unavailable, the user can still
access network resources (other than the AD server itself) with valid Kerberos tickets
that have been acquired before losing the connection. Password changes cannot be
processed unless the domain controller is online. While disconnected from the AD
server, a user cannot access any data stored on this server. When a workstation has be-
come disconnected from the network entirely and attaches to the corporate network
again later, SUSE Linux Enterprise Server acquires a new Kerberos ticket as soon as
the user has locked and unlocked the desktop (for example, using a desktop screen
saver).
Active Directory Support 73