Web lists-archives.com

Re: [Samba] XP auto enrollment error; TEMP profile

On 09/30/2017 08:21 AM, Gaiseric Vandal via samba wrote:
If this is a customer rather than your employer you may find that you need to just part ways, which I know isn't easy.   If you provide a customer with your professional advice, and they choose to ignore it, then I think you can't really help them.

Hi Gaiseric,

Easier said than done.  We are still suffering from the endless
recession out in these parts, although things have started to
SLOWLY change over the last 10 months.  If I do not accommodate
the customer's wishes, I will not be able to feed my family.  And
replacing the customer is impossible in this business  climate.
Bear in mind that I am considered a unnecessary expense to be
eliminated.  At least this customer has not accused me of writing
viruses so I can charge to remove them.  I am between a rock and
a hard place.  I either fix this or lose my shirt.

Is the customer using XP for all client machines or just select machines that may run some legacy app?

The app will run on any version of Windows.  The reason for the XP
is that the customer doesn't believe in fixing what ain't broke.
(That is a conspiracy to separate him from his money don't you know).

Do you have at least one Win 7 machine?

Not a single one!

I would validate the connections with the win 7 machine before you start trying to fix XP.     That would at least prove that the server is correct and XP is the problem.

If this is a "classic" domain controller then you DO have to use NTLM (but definately NOT lanman.)      If XP supports NTLMv2 then I think it will negotiate that with Samba.     I think Microsoft released patches for XP for WanaCry, even tho XP is otherwise unsupported.  So some of the security concerns are partially mitigated.     Although you should make sure that the  antivirus is enabled  and that the machine is ONLY used for the absolutely essential functions (no web browsing, no e-mail.)

Some of the default "signing" options in smb.conf may have changed with the newer versions of samba.  You may need to turn "server signing" , "client signing" and "client ipc signing" to off. You may also want to check the server and client min and max protocol options on samba. XP may have problems with SMB2.

Can you try using smbpasswd  or pdbedit to precreate the machine accounts ?   I found sometimes certain attributes weren't properly created when joining machines to domains.

I used smbpasswd.   And I am using DDNS (Dynamic Domain Name Service).
Each computer showed up in both my forward and reverse tables.

I am not much of a fan of Domain Controllers.  This is five computers
and I just don't see that it is worth the effort for any "perceived"
extra functionality.    So I am slowly reverting them back to a

Thank you for the help!


Oh and this server (Fedora 26) is an upgrade from his old
CentOS 5 server.  Talk about out-of-date!

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba