Re: [Samba] XP auto enrollment error; TEMP profile
- Date: Sat, 30 Sep 2017 08:58:02 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] XP auto enrollment error; TEMP profile
On Fri, 29 Sep 2017 18:27:29 -0700
ToddAndMargo via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Dear list,
> I just upgrade a samba server.
> Fedora 26
> Workstations (5 of them):
> XP Pro SP3
> The old server was set up as a Domain controller. I copied the
> smb.conf over to the new server.
> The XP workstations can see and mount everything.
> On the workstations, I removed myself from the old domain and
> rebooted, powered off the old server, reattached to the domain.
> Problem: when I log into the domain, I get the following in my error
> log and I get a stinking TEMP directory/profile.
> Event Type: Error
> Event Source: AutoEnrollment
> Event Category: None
> Event ID: 15
> Date: 9/29/2017
> Time: 4:33:10 PM
> User: N/A
> Computer: CURTIS-SCREW
> Automatic certificate enrollment for local system failed to contact
> the active directory (0x8007054b). The specified domain either does
> not exist or could not be contacted.
> Enrollment will not be performed.
> For more information, see Help and Support Center at
> Removing the temp profile for the registry and erasing the
> TEMP director from Doc and Setting and rebooting does not help.
> What am I doing wrong?
Quite a few things ;-)
I understand that you have to use XP, but you don't have to use NTLM,
haven't you heard of 'wanacry' ?
Go here and read it: http://www.imss.caltech.edu/node/396
Then you can remove these lines:
lanman auth = yes
ntlm auth = yes
Why have you got these lines ? it isn't an AD DC
dns forwarder = 192.168.255.12
allow dns updates = nonsecure
Is 'winbind' running ? if it isn't you do not need these lines:
idmap config * : backend = tdb #
idmap config * : range = 1000000-1999999
If it is running, they are not set up correctly.
I would change 'name resolve order = host' to 'name resolve order =
wins host bcast'
I would try this for the profiles:
path = /exports/profiles/
read only = no
create mask = 0600
directory mask = 0700
browseable = no
csc policy = disable
Also, if '/exports/profiles/' is an NFS share, I would stop using it.
Finally, are you aware that 'public' is a synonym for 'guest ok' ?
Where you have this in '[printers]'
public = yes
guest ok = no
You are allowing guest access and then immediately stopping it.
To unsubscribe from this list go to the following URL and read the