[Samba] XP auto enrollment error; TEMP profile

ToddAndMargo ToddAndMargo at zoho.com
Sun Oct 1 21:00:34 UTC 2017 

On 09/30/2017 12:58 AM, Rowland Penny via samba wrote:
> On Fri, 29 Sep 2017 18:27:29 -0700
> ToddAndMargo via samba <samba at lists.samba.org> wrote:
> 
>> Dear list,
>>
>> Help!
>>
>> I just upgrade a samba server.
>>
>> Server:
>>      Fedora 26
>>      samba-4.6.8-0.fc26.x86_64
>>
>> Workstations (5 of them):
>>      XP Pro SP3
>>
>> The old server was set up as a Domain controller.  I copied the
>> smb.conf over to the new server.
>>
>> The XP workstations can see and mount everything.
>>
>> On the workstations, I removed myself from the old domain and
>> rebooted, powered off the old server, reattached to the domain.
>>
>> Problem: when I log into the domain, I get the following in my error
>> log and I get a stinking TEMP directory/profile.
>>
>> Event Type:	Error
>> Event Source:	AutoEnrollment
>> Event Category:	None
>> Event ID:	15
>> Date:		9/29/2017
>> Time:		4:33:10 PM
>> User:		N/A
>> Computer:	CURTIS-SCREW
>> Description:
>> Automatic certificate enrollment for local system failed to contact
>> the active directory (0x8007054b).  The specified domain either does
>> not exist or could not be contacted.
>>     Enrollment will not be performed.
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>>
>> Removing the temp profile for the registry and erasing the
>> TEMP director from Doc and Setting and rebooting does not help.
>>
>> What am I doing wrong?
>>
> 
> Quite a few things ;-)
> 
> I understand that you have to use XP, but you don't have to use NTLM,
> haven't you heard of 'wanacry' ?
> Go here and read it: http://www.imss.caltech.edu/node/396
> 
> Then you can remove these lines:
> 
>      lanman auth = yes
>      ntlm auth = yes
> 
> Why have you got these lines ? it isn't an AD DC
> 
>      dns forwarder = 192.168.255.12
>      allow dns updates = nonsecure
> 
> Is 'winbind' running ? if it isn't you do not need these lines:
> 
>      idmap config * : backend        = tdb #
>      idmap config * : range          = 1000000-1999999
> 
> If it is running, they are not set up correctly.
> 
> I would change 'name resolve order = host' to 'name resolve order =
> wins host bcast'
> 
> I would try this for the profiles:
> 
> [profiles]
>      path = /exports/profiles/
>      read only = no
>      create mask = 0600
>      directory mask = 0700
>      browseable = no
>      csc policy = disable
> 
> Also, if '/exports/profiles/' is an NFS share, I would stop using it.
> 
> Finally, are you aware that 'public' is a synonym for 'guest ok' ?
> Where you have this in '[printers]'
> 
>      public = yes
>      guest ok = no
> 
> You are allowing guest access and then immediately stopping it.
> 
> Rowland
> 


Hi Rowland,

Thank you!

Okay, this is a bit humiliating.  I have a bunch of clean up
to do.

Was there any one mistake I made in particular that would
be causing the TEMP profile problem?


Many thanks,
-T

More information about the samba mailing list