[Samba] XP auto enrollment error; TEMP profile
rpenny at samba.org
Sun Oct 1 21:21:56 UTC 2017
On Sun, 1 Oct 2017 14:00:34 -0700
ToddAndMargo via samba <samba at lists.samba.org> wrote:
> On 09/30/2017 12:58 AM, Rowland Penny via samba wrote:
> > On Fri, 29 Sep 2017 18:27:29 -0700
> > ToddAndMargo via samba <samba at lists.samba.org> wrote:
> >> Dear list,
> >> Help!
> >> I just upgrade a samba server.
> >> Server:
> >> Fedora 26
> >> samba-4.6.8-0.fc26.x86_64
> >> Workstations (5 of them):
> >> XP Pro SP3
> >> The old server was set up as a Domain controller. I copied the
> >> smb.conf over to the new server.
> >> The XP workstations can see and mount everything.
> >> On the workstations, I removed myself from the old domain and
> >> rebooted, powered off the old server, reattached to the domain.
> >> Problem: when I log into the domain, I get the following in my
> >> error log and I get a stinking TEMP directory/profile.
> >> Event Type: Error
> >> Event Source: AutoEnrollment
> >> Event Category: None
> >> Event ID: 15
> >> Date: 9/29/2017
> >> Time: 4:33:10 PM
> >> User: N/A
> >> Computer: CURTIS-SCREW
> >> Description:
> >> Automatic certificate enrollment for local system failed to contact
> >> the active directory (0x8007054b). The specified domain either
> >> does not exist or could not be contacted.
> >> Enrollment will not be performed.
> >> For more information, see Help and Support Center at
> >> http://go.microsoft.com/fwlink/events.asp.
> >> Removing the temp profile for the registry and erasing the
> >> TEMP director from Doc and Setting and rebooting does not help.
> >> What am I doing wrong?
> > Quite a few things ;-)
> > I understand that you have to use XP, but you don't have to use
> > NTLM, haven't you heard of 'wanacry' ?
> > Go here and read it: http://www.imss.caltech.edu/node/396
> > Then you can remove these lines:
> > lanman auth = yes
> > ntlm auth = yes
> > Why have you got these lines ? it isn't an AD DC
> > dns forwarder = 192.168.255.12
> > allow dns updates = nonsecure
> > Is 'winbind' running ? if it isn't you do not need these lines:
> > idmap config * : backend = tdb #
> > idmap config * : range = 1000000-1999999
> > If it is running, they are not set up correctly.
> > I would change 'name resolve order = host' to 'name resolve order =
> > wins host bcast'
> > I would try this for the profiles:
> > [profiles]
> > path = /exports/profiles/
> > read only = no
> > create mask = 0600
> > directory mask = 0700
> > browseable = no
> > csc policy = disable
> > Also, if '/exports/profiles/' is an NFS share, I would stop using
> > it.
> > Finally, are you aware that 'public' is a synonym for 'guest ok' ?
> > Where you have this in '[printers]'
> > public = yes
> > guest ok = no
> > You are allowing guest access and then immediately stopping it.
> > Rowland
> Hi Rowland,
> Thank you!
> Okay, this is a bit humiliating. I have a bunch of clean up
> to do.
> Was there any one mistake I made in particular that would
> be causing the TEMP profile problem?
Not sure, probably the way the profiles share was set up, but if you
are, as you have said, moving to a workgroup, you wont need the
More information about the samba