[Samba] XP auto enrollment error; TEMP profile
gaiseric.vandal at gmail.com
Sat Sep 30 15:21:13 UTC 2017
If this is a customer rather than your employer you may find that you
need to just part ways, which I know isn't easy. If you provide a
customer with your professional advice, and they choose to ignore it,
then I think you can't really help them.
Is the customer using XP for all client machines or just select machines
that may run some legacy app?
Do you have at least one Win 7 machine? I would validate the
connections with the win 7 machine before you start trying to fix
XP. That would at least prove that the server is correct and XP is
If this is a "classic" domain controller then you DO have to use NTLM
(but definately NOT lanman.) If XP supports NTLMv2 then I think it
will negotiate that with Samba. I think Microsoft released patches
for XP for WanaCry, even tho XP is otherwise unsupported. So some of
the security concerns are partially mitigated. Although you should
make sure that the antivirus is enabled and that the machine is ONLY
used for the absolutely essential functions (no web browsing, no e-mail.)
Some of the default "signing" options in smb.conf may have changed with
the newer versions of samba. You may need to turn "server signing" ,
"client signing" and "client ipc signing" to off. You may also want to
check the server and client min and max protocol options on samba.
XP may have problems with SMB2.
Can you try using smbpasswd or pdbedit to precreate the machine
accounts ? I found sometimes certain attributes weren't properly
created when joining machines to domains.
On 09/30/17 03:58, Rowland Penny via samba wrote:
> On Fri, 29 Sep 2017 18:27:29 -0700
> ToddAndMargo via samba <samba at lists.samba.org> wrote:
>> Dear list,
>> I just upgrade a samba server.
>> Fedora 26
>> Workstations (5 of them):
>> XP Pro SP3
>> The old server was set up as a Domain controller. I copied the
>> smb.conf over to the new server.
>> The XP workstations can see and mount everything.
>> On the workstations, I removed myself from the old domain and
>> rebooted, powered off the old server, reattached to the domain.
>> Problem: when I log into the domain, I get the following in my error
>> log and I get a stinking TEMP directory/profile.
>> Event Type: Error
>> Event Source: AutoEnrollment
>> Event Category: None
>> Event ID: 15
>> Date: 9/29/2017
>> Time: 4:33:10 PM
>> User: N/A
>> Computer: CURTIS-SCREW
>> Automatic certificate enrollment for local system failed to contact
>> the active directory (0x8007054b). The specified domain either does
>> not exist or could not be contacted.
>> Enrollment will not be performed.
>> For more information, see Help and Support Center at
>> Removing the temp profile for the registry and erasing the
>> TEMP director from Doc and Setting and rebooting does not help.
>> What am I doing wrong?
> Quite a few things ;-)
> I understand that you have to use XP, but you don't have to use NTLM,
> haven't you heard of 'wanacry' ?
> Go here and read it: http://www.imss.caltech.edu/node/396
> Then you can remove these lines:
> lanman auth = yes
> ntlm auth = yes
> Why have you got these lines ? it isn't an AD DC
> dns forwarder = 192.168.255.12
> allow dns updates = nonsecure
> Is 'winbind' running ? if it isn't you do not need these lines:
> idmap config * : backend = tdb #
> idmap config * : range = 1000000-1999999
> If it is running, they are not set up correctly.
> I would change 'name resolve order = host' to 'name resolve order =
> wins host bcast'
> I would try this for the profiles:
> path = /exports/profiles/
> read only = no
> create mask = 0600
> directory mask = 0700
> browseable = no
> csc policy = disable
> Also, if '/exports/profiles/' is an NFS share, I would stop using it.
> Finally, are you aware that 'public' is a synonym for 'guest ok' ?
> Where you have this in '[printers]'
> public = yes
> guest ok = no
> You are allowing guest access and then immediately stopping it.
More information about the samba