Web lists-archives.com

Re: [Samba] XP auto enrollment error; TEMP profile

On 09/30/2017 12:58 AM, Rowland Penny via samba wrote:
On Fri, 29 Sep 2017 18:27:29 -0700
ToddAndMargo via samba <samba@xxxxxxxxxxxxxxx> wrote:

Dear list,


I just upgrade a samba server.

     Fedora 26

Workstations (5 of them):
     XP Pro SP3

The old server was set up as a Domain controller.  I copied the
smb.conf over to the new server.

The XP workstations can see and mount everything.

On the workstations, I removed myself from the old domain and
rebooted, powered off the old server, reattached to the domain.

Problem: when I log into the domain, I get the following in my error
log and I get a stinking TEMP directory/profile.

Event Type:	Error
Event Source:	AutoEnrollment
Event Category:	None
Event ID:	15
Date:		9/29/2017
Time:		4:33:10 PM
User:		N/A
Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b).  The specified domain either does
not exist or could not be contacted.
    Enrollment will not be performed.

For more information, see Help and Support Center at

Removing the temp profile for the registry and erasing the
TEMP director from Doc and Setting and rebooting does not help.

What am I doing wrong?

Quite a few things ;-)

I understand that you have to use XP, but you don't have to use NTLM,
haven't you heard of 'wanacry' ?
Go here and read it: http://www.imss.caltech.edu/node/396

Then you can remove these lines:

     lanman auth = yes
     ntlm auth = yes

Why have you got these lines ? it isn't an AD DC

     dns forwarder =
     allow dns updates = nonsecure

Is 'winbind' running ? if it isn't you do not need these lines:

     idmap config * : backend        = tdb #
     idmap config * : range          = 1000000-1999999

If it is running, they are not set up correctly.

I would change 'name resolve order = host' to 'name resolve order =
wins host bcast'

I would try this for the profiles:

     path = /exports/profiles/
     read only = no
     create mask = 0600
     directory mask = 0700
     browseable = no
     csc policy = disable

Also, if '/exports/profiles/' is an NFS share, I would stop using it.

Finally, are you aware that 'public' is a synonym for 'guest ok' ?
Where you have this in '[printers]'

     public = yes
     guest ok = no

You are allowing guest access and then immediately stopping it.


Hi Rowland,

Thank you!

Okay, this is a bit humiliating.  I have a bunch of clean up
to do.

Was there any one mistake I made in particular that would
be causing the TEMP profile problem?

Many thanks,

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba