Web lists-archives.com

Re: [Samba] XP auto enrollment error; TEMP profile




On 10/02/2017 07:37 AM, Gaiseric Vandal via samba wrote:
The auto enrollment messages seems to be indicate that the client machine thinks it is connecting to an AD domain.

The profile messages is indicative of a domain membership problem, whether or not you are using roaming profiles.

Workgroup method is probably simplest-  although my past experience was that even at 5 machines managing multiple users on multiple machines gets tricky.     In theory, you have 30 passwords to set.   If most people only use computer then this is less of an issue.

Hi Gaiseric,

They only sit at their own machines.  On the rare occasion that they
sit on someone else's, they just use the other person's account.
They specifically have it set up that way.  They even see everyone
else's eMail (love iMap) by design.  (If a customer writes for something
and the recipient is out for the day, others automatically respond.)

Since I have to go to each machine and to set up either the workgroup
or a domain, it is the same amount of work.

I create a logon.bat script that I copy to everyone's start up that
mounts all their network drive with the right drive letters.  That
helps a lot.  And I set their "My Documents" to their "homes" drive.


For a small domain, I think the "classic PDC"  cane simpler than a Samba AD domain controller.  However I have not actually tried implementing a samba AD domain controller primarily because it would not play well in our environment.     Also, it relies Heimdal Kerberos, which is not included in fedora.    I don't think the XP problems here are related to classic vs AD.    That being said, I do understand that the "classic" domain model is not a long term solution.


No specifically a samba issue but remember the idea of "defense in depth."   Many people think "I have a firewall, my network is safe" and "I have antivirus, my PC's are safe."     You need a mix client antivirus, system patching, application updates, backups, e-mail spam filtering, and user education.     None of these have to be expensive.     I think you can still run free Sophos AV on XP.   Make sure no one is logging in with admin rights.     The biggest threat vector-  at least in my work-  seems to be e-mail (either with malicious attachments or phishing links.) Anyway, that is my pitch from my soap box.   You can take it or leave it.

1+

I also consult of PCI (credit card security).  Under "D", it is
full out security.  I add (required by PCI) File Integrity Monitoring
(FIM) software to the mix.  Lets me know EVERYTHING that gets changed
on the computer.  It takes the user's about a month to realize that too.
And about three stern lectures from their managers about playing video
poker on the Point-of-Sale machines.  Chuckle!  (I keep trying to get
their managers to get a second off point of sale network leg computer
for their other required Internet work, but ...)

Kaspersky's End Point Security Workstation-10.2.5.3201 still supports
XP.  It is excellent.  It also has a software out-of-date scanner
(poorly labeled "vulnerability scanner"), which is also required by
PCI.  I have Kaspersky set to eMail the managers when it catches
anything.   K's business line also have good America based tech support.
(Their home product tech support stinks.)   Disclaimer: I am a Kaspersky
reseller.  (Yes, they are well aware of my opinion of the home
product support.)

As the old machines wear out, the XP issue will solve itself.

And now we have a problem.  On a box store computer this would be
the case.  But these are custom high reliability computer hand build
by me. The initial cost is about 30% higher than a store bought computer, but the cost of ownership is maybe 1/4 to 1/10 of a box
store computer.  This is based on two to three migrations to new
box store computers over the life span of one of my computers.
The cost of migrating from a crashed computer to a new computer
is often multiples times more expensive than the new computer itself.
My computers are a real good bargain.

But ........     THEY     NEVER     DIE

So I may have to wait for every piece of software to stop working
before they finally give in and upgrade.  And then PRY the old one
out of their hands kicking and screaming!

Thank you for the tips!

-T


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba