[Samba] XP auto enrollment error; TEMP profile

Rowland Penny rpenny at samba.org
Sun Oct 1 21:21:56 UTC 2017 

On Sun, 1 Oct 2017 14:00:34 -0700
ToddAndMargo via samba <samba at lists.samba.org> wrote:

> On 09/30/2017 12:58 AM, Rowland Penny via samba wrote:
> > On Fri, 29 Sep 2017 18:27:29 -0700
> > ToddAndMargo via samba <samba at lists.samba.org> wrote:
> > 
> >> Dear list,
> >>
> >> Help!
> >>
> >> I just upgrade a samba server.
> >>
> >> Server:
> >>      Fedora 26
> >>      samba-4.6.8-0.fc26.x86_64
> >>
> >> Workstations (5 of them):
> >>      XP Pro SP3
> >>
> >> The old server was set up as a Domain controller.  I copied the
> >> smb.conf over to the new server.
> >>
> >> The XP workstations can see and mount everything.
> >>
> >> On the workstations, I removed myself from the old domain and
> >> rebooted, powered off the old server, reattached to the domain.
> >>
> >> Problem: when I log into the domain, I get the following in my
> >> error log and I get a stinking TEMP directory/profile.
> >>
> >> Event Type:	Error
> >> Event Source:	AutoEnrollment
> >> Event Category:	None
> >> Event ID:	15
> >> Date:		9/29/2017
> >> Time:		4:33:10 PM
> >> User:		N/A
> >> Computer:	CURTIS-SCREW
> >> Description:
> >> Automatic certificate enrollment for local system failed to contact
> >> the active directory (0x8007054b).  The specified domain either
> >> does not exist or could not be contacted.
> >>     Enrollment will not be performed.
> >>
> >> For more information, see Help and Support Center at
> >> http://go.microsoft.com/fwlink/events.asp.
> >>
> >>
> >> Removing the temp profile for the registry and erasing the
> >> TEMP director from Doc and Setting and rebooting does not help.
> >>
> >> What am I doing wrong?
> >>
> > 
> > Quite a few things ;-)
> > 
> > I understand that you have to use XP, but you don't have to use
> > NTLM, haven't you heard of 'wanacry' ?
> > Go here and read it: http://www.imss.caltech.edu/node/396
> > 
> > Then you can remove these lines:
> > 
> >      lanman auth = yes
> >      ntlm auth = yes
> > 
> > Why have you got these lines ? it isn't an AD DC
> > 
> >      dns forwarder = 192.168.255.12
> >      allow dns updates = nonsecure
> > 
> > Is 'winbind' running ? if it isn't you do not need these lines:
> > 
> >      idmap config * : backend        = tdb #
> >      idmap config * : range          = 1000000-1999999
> > 
> > If it is running, they are not set up correctly.
> > 
> > I would change 'name resolve order = host' to 'name resolve order =
> > wins host bcast'
> > 
> > I would try this for the profiles:
> > 
> > [profiles]
> >      path = /exports/profiles/
> >      read only = no
> >      create mask = 0600
> >      directory mask = 0700
> >      browseable = no
> >      csc policy = disable
> > 
> > Also, if '/exports/profiles/' is an NFS share, I would stop using
> > it.
> > 
> > Finally, are you aware that 'public' is a synonym for 'guest ok' ?
> > Where you have this in '[printers]'
> > 
> >      public = yes
> >      guest ok = no
> > 
> > You are allowing guest access and then immediately stopping it.
> > 
> > Rowland
> > 
> 
> 
> Hi Rowland,
> 
> Thank you!
> 
> Okay, this is a bit humiliating.  I have a bunch of clean up
> to do.
> 
> Was there any one mistake I made in particular that would
> be causing the TEMP profile problem?
> 

Not sure, probably the way the profiles share was set up, but if you
are, as you have said, moving to a workgroup, you wont need the
profiles.

Rowland

More information about the samba mailing list