[Samba] XP auto enrollment error; TEMP profile

Rowland Penny rpenny at samba.org
Sat Sep 30 07:58:02 UTC 2017 

On Fri, 29 Sep 2017 18:27:29 -0700
ToddAndMargo via samba <samba at lists.samba.org> wrote:

> Dear list,
> 
> Help!
> 
> I just upgrade a samba server.
> 
> Server:
>     Fedora 26
>     samba-4.6.8-0.fc26.x86_64
> 
> Workstations (5 of them):
>     XP Pro SP3
> 
> The old server was set up as a Domain controller.  I copied the
> smb.conf over to the new server.
> 
> The XP workstations can see and mount everything.
> 
> On the workstations, I removed myself from the old domain and
> rebooted, powered off the old server, reattached to the domain.
> 
> Problem: when I log into the domain, I get the following in my error
> log and I get a stinking TEMP directory/profile.
> 
> Event Type:	Error
> Event Source:	AutoEnrollment
> Event Category:	None
> Event ID:	15
> Date:		9/29/2017
> Time:		4:33:10 PM
> User:		N/A
> Computer:	CURTIS-SCREW
> Description:
> Automatic certificate enrollment for local system failed to contact
> the active directory (0x8007054b).  The specified domain either does
> not exist or could not be contacted.
>    Enrollment will not be performed.
> 
> For more information, see Help and Support Center at 
> http://go.microsoft.com/fwlink/events.asp.
> 
> 
> Removing the temp profile for the registry and erasing the
> TEMP director from Doc and Setting and rebooting does not help.
> 
> What am I doing wrong?
> 

Quite a few things ;-)

I understand that you have to use XP, but you don't have to use NTLM,
haven't you heard of 'wanacry' ?
Go here and read it: http://www.imss.caltech.edu/node/396

Then you can remove these lines:

    lanman auth = yes
    ntlm auth = yes

Why have you got these lines ? it isn't an AD DC

    dns forwarder = 192.168.255.12
    allow dns updates = nonsecure

Is 'winbind' running ? if it isn't you do not need these lines:

    idmap config * : backend        = tdb #
    idmap config * : range          = 1000000-1999999

If it is running, they are not set up correctly.

I would change 'name resolve order = host' to 'name resolve order =
wins host bcast'

I would try this for the profiles:

[profiles]
    path = /exports/profiles/
    read only = no
    create mask = 0600
    directory mask = 0700
    browseable = no
    csc policy = disable

Also, if '/exports/profiles/' is an NFS share, I would stop using it.

Finally, are you aware that 'public' is a synonym for 'guest ok' ?
Where you have this in '[printers]'

    public = yes
    guest ok = no

You are allowing guest access and then immediately stopping it.

Rowland

More information about the samba mailing list