Web lists-archives.com

Re: [Samba] XP auto enrollment error; TEMP profile




If this is a customer rather than your employer you may find that you need to just part ways, which I know isn't easy.   If you provide a customer with your professional advice, and they choose to ignore it, then I think you can't really help them.

Is the customer using XP for all client machines or just select machines that may run some legacy app?

Do you have at least one Win 7 machine?   I would validate the connections with the win 7 machine before you start trying to fix XP.     That would at least prove that the server is correct and XP is the problem.


If this is a "classic" domain controller then you DO have to use NTLM (but definately NOT lanman.)      If XP supports NTLMv2 then I think it will negotiate that with Samba.     I think Microsoft released patches for XP for WanaCry, even tho XP is otherwise unsupported.  So some of the security concerns are partially mitigated.     Although you should make sure that the  antivirus is enabled  and that the machine is ONLY used for the absolutely essential functions (no web browsing, no e-mail.)

Some of the default "signing" options in smb.conf may have changed with the newer versions of samba.  You may need to turn "server signing" , "client signing" and "client ipc signing" to off. You may also want to check the server and client min and max protocol options on samba.      XP may have problems with SMB2.


Can you try using smbpasswd  or pdbedit to precreate the machine accounts ?   I found sometimes certain attributes weren't properly created when joining machines to domains.







On 09/30/17 03:58, Rowland Penny via samba wrote:
On Fri, 29 Sep 2017 18:27:29 -0700
ToddAndMargo via samba <samba@xxxxxxxxxxxxxxx> wrote:

Dear list,

Help!

I just upgrade a samba server.

Server:
     Fedora 26
     samba-4.6.8-0.fc26.x86_64

Workstations (5 of them):
     XP Pro SP3

The old server was set up as a Domain controller.  I copied the
smb.conf over to the new server.

The XP workstations can see and mount everything.

On the workstations, I removed myself from the old domain and
rebooted, powered off the old server, reattached to the domain.

Problem: when I log into the domain, I get the following in my error
log and I get a stinking TEMP directory/profile.

Event Type:	Error
Event Source:	AutoEnrollment
Event Category:	None
Event ID:	15
Date:		9/29/2017
Time:		4:33:10 PM
User:		N/A
Computer:	CURTIS-SCREW
Description:
Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b).  The specified domain either does
not exist or could not be contacted.
    Enrollment will not be performed.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Removing the temp profile for the registry and erasing the
TEMP director from Doc and Setting and rebooting does not help.

What am I doing wrong?

Quite a few things ;-)

I understand that you have to use XP, but you don't have to use NTLM,
haven't you heard of 'wanacry' ?
Go here and read it: http://www.imss.caltech.edu/node/396

Then you can remove these lines:

     lanman auth = yes
     ntlm auth = yes

Why have you got these lines ? it isn't an AD DC

     dns forwarder = 192.168.255.12
     allow dns updates = nonsecure

Is 'winbind' running ? if it isn't you do not need these lines:

     idmap config * : backend        = tdb #
     idmap config * : range          = 1000000-1999999

If it is running, they are not set up correctly.

I would change 'name resolve order = host' to 'name resolve order =
wins host bcast'

I would try this for the profiles:

[profiles]
     path = /exports/profiles/
     read only = no
     create mask = 0600
     directory mask = 0700
     browseable = no
     csc policy = disable

Also, if '/exports/profiles/' is an NFS share, I would stop using it.

Finally, are you aware that 'public' is a synonym for 'guest ok' ?
Where you have this in '[printers]'

     public = yes
     guest ok = no

You are allowing guest access and then immediately stopping it.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba