[Samba] XP auto enrollment error; TEMP profile
ToddAndMargo at zoho.com
Sun Oct 1 21:00:34 UTC 2017
On 09/30/2017 12:58 AM, Rowland Penny via samba wrote:
> On Fri, 29 Sep 2017 18:27:29 -0700
> ToddAndMargo via samba <samba at lists.samba.org> wrote:
>> Dear list,
>> I just upgrade a samba server.
>> Fedora 26
>> Workstations (5 of them):
>> XP Pro SP3
>> The old server was set up as a Domain controller. I copied the
>> smb.conf over to the new server.
>> The XP workstations can see and mount everything.
>> On the workstations, I removed myself from the old domain and
>> rebooted, powered off the old server, reattached to the domain.
>> Problem: when I log into the domain, I get the following in my error
>> log and I get a stinking TEMP directory/profile.
>> Event Type: Error
>> Event Source: AutoEnrollment
>> Event Category: None
>> Event ID: 15
>> Date: 9/29/2017
>> Time: 4:33:10 PM
>> User: N/A
>> Computer: CURTIS-SCREW
>> Automatic certificate enrollment for local system failed to contact
>> the active directory (0x8007054b). The specified domain either does
>> not exist or could not be contacted.
>> Enrollment will not be performed.
>> For more information, see Help and Support Center at
>> Removing the temp profile for the registry and erasing the
>> TEMP director from Doc and Setting and rebooting does not help.
>> What am I doing wrong?
> Quite a few things ;-)
> I understand that you have to use XP, but you don't have to use NTLM,
> haven't you heard of 'wanacry' ?
> Go here and read it: http://www.imss.caltech.edu/node/396
> Then you can remove these lines:
> lanman auth = yes
> ntlm auth = yes
> Why have you got these lines ? it isn't an AD DC
> dns forwarder = 192.168.255.12
> allow dns updates = nonsecure
> Is 'winbind' running ? if it isn't you do not need these lines:
> idmap config * : backend = tdb #
> idmap config * : range = 1000000-1999999
> If it is running, they are not set up correctly.
> I would change 'name resolve order = host' to 'name resolve order =
> wins host bcast'
> I would try this for the profiles:
> path = /exports/profiles/
> read only = no
> create mask = 0600
> directory mask = 0700
> browseable = no
> csc policy = disable
> Also, if '/exports/profiles/' is an NFS share, I would stop using it.
> Finally, are you aware that 'public' is a synonym for 'guest ok' ?
> Where you have this in '[printers]'
> public = yes
> guest ok = no
> You are allowing guest access and then immediately stopping it.
Okay, this is a bit humiliating. I have a bunch of clean up
Was there any one mistake I made in particular that would
be causing the TEMP profile problem?
More information about the samba