[Samba] XP auto enrollment error; TEMP profile
Rowland Penny
rpenny at samba.org
Sat Sep 30 07:58:02 UTC 2017
On Fri, 29 Sep 2017 18:27:29 -0700
ToddAndMargo via samba <samba at lists.samba.org> wrote:
> Dear list,
>
> Help!
>
> I just upgrade a samba server.
>
> Server:
> Fedora 26
> samba-4.6.8-0.fc26.x86_64
>
> Workstations (5 of them):
> XP Pro SP3
>
> The old server was set up as a Domain controller. I copied the
> smb.conf over to the new server.
>
> The XP workstations can see and mount everything.
>
> On the workstations, I removed myself from the old domain and
> rebooted, powered off the old server, reattached to the domain.
>
> Problem: when I log into the domain, I get the following in my error
> log and I get a stinking TEMP directory/profile.
>
> Event Type: Error
> Event Source: AutoEnrollment
> Event Category: None
> Event ID: 15
> Date: 9/29/2017
> Time: 4:33:10 PM
> User: N/A
> Computer: CURTIS-SCREW
> Description:
> Automatic certificate enrollment for local system failed to contact
> the active directory (0x8007054b). The specified domain either does
> not exist or could not be contacted.
> Enrollment will not be performed.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Removing the temp profile for the registry and erasing the
> TEMP director from Doc and Setting and rebooting does not help.
>
> What am I doing wrong?
>
Quite a few things ;-)
I understand that you have to use XP, but you don't have to use NTLM,
haven't you heard of 'wanacry' ?
Go here and read it: http://www.imss.caltech.edu/node/396
Then you can remove these lines:
lanman auth = yes
ntlm auth = yes
Why have you got these lines ? it isn't an AD DC
dns forwarder = 192.168.255.12
allow dns updates = nonsecure
Is 'winbind' running ? if it isn't you do not need these lines:
idmap config * : backend = tdb #
idmap config * : range = 1000000-1999999
If it is running, they are not set up correctly.
I would change 'name resolve order = host' to 'name resolve order =
wins host bcast'
I would try this for the profiles:
[profiles]
path = /exports/profiles/
read only = no
create mask = 0600
directory mask = 0700
browseable = no
csc policy = disable
Also, if '/exports/profiles/' is an NFS share, I would stop using it.
Finally, are you aware that 'public' is a synonym for 'guest ok' ?
Where you have this in '[printers]'
public = yes
guest ok = no
You are allowing guest access and then immediately stopping it.
Rowland
More information about the samba
mailing list