[Samba] XP auto enrollment error; TEMP profile

Gaiseric Vandal gaiseric.vandal at gmail.com
Sat Sep 30 15:21:22 UTC 2017

If this is a customer rather than your employer you may find that you 
need to just part ways, which I know isn't easy.   If you provide a 
customer with your professional advice, and they choose to ignore it, 
then I think you can't really help them.

Is the customer using XP for all client machines or just select machines 
that may run some legacy app?

Do you have at least one Win 7 machine?   I would validate the 
connections with the win 7 machine before you start trying to fix 
XP.     That would at least prove that the server is correct and XP is 
the problem.

If this is a "classic" domain controller then you DO have to use NTLM 
(but definately NOT lanman.)      If XP supports NTLMv2 then I think it 
will negotiate that with Samba.     I think Microsoft released patches 
for XP for WanaCry, even tho XP is otherwise unsupported.  So some of 
the security concerns are partially mitigated.     Although you should 
make sure that the  antivirus is enabled  and that the machine is ONLY 
used for the absolutely essential functions (no web browsing, no e-mail.)

Some of the default "signing" options in smb.conf may have changed with 
the newer versions of samba.  You may need to turn "server signing" , 
"client signing" and "client ipc signing" to off. You may also want to 
check the server and client min and max protocol options on samba.      
XP may have problems with SMB2.

Can you try using smbpasswd  or pdbedit to precreate the machine 
accounts ?   I found sometimes certain attributes weren't properly 
created when joining machines to domains.

On 09/30/17 03:58, Rowland Penny via samba wrote:
> On Fri, 29 Sep 2017 18:27:29 -0700
> ToddAndMargo via samba <samba at lists.samba.org> wrote:
>> Dear list,
>> Help!
>> I just upgrade a samba server.
>> Server:
>>      Fedora 26
>>      samba-4.6.8-0.fc26.x86_64
>> Workstations (5 of them):
>>      XP Pro SP3
>> The old server was set up as a Domain controller.  I copied the
>> smb.conf over to the new server.
>> The XP workstations can see and mount everything.
>> On the workstations, I removed myself from the old domain and
>> rebooted, powered off the old server, reattached to the domain.
>> Problem: when I log into the domain, I get the following in my error
>> log and I get a stinking TEMP directory/profile.
>> Event Type:	Error
>> Event Source:	AutoEnrollment
>> Event Category:	None
>> Event ID:	15
>> Date:		9/29/2017
>> Time:		4:33:10 PM
>> User:		N/A
>> Computer:	CURTIS-SCREW
>> Description:
>> Automatic certificate enrollment for local system failed to contact
>> the active directory (0x8007054b).  The specified domain either does
>> not exist or could not be contacted.
>>     Enrollment will not be performed.
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>> Removing the temp profile for the registry and erasing the
>> TEMP director from Doc and Setting and rebooting does not help.
>> What am I doing wrong?
> Quite a few things ;-)
> I understand that you have to use XP, but you don't have to use NTLM,
> haven't you heard of 'wanacry' ?
> Go here and read it: http://www.imss.caltech.edu/node/396
> Then you can remove these lines:
>      lanman auth = yes
>      ntlm auth = yes
> Why have you got these lines ? it isn't an AD DC
>      dns forwarder =
>      allow dns updates = nonsecure
> Is 'winbind' running ? if it isn't you do not need these lines:
>      idmap config * : backend        = tdb #
>      idmap config * : range          = 1000000-1999999
> If it is running, they are not set up correctly.
> I would change 'name resolve order = host' to 'name resolve order =
> wins host bcast'
> I would try this for the profiles:
> [profiles]
>      path = /exports/profiles/
>      read only = no
>      create mask = 0600
>      directory mask = 0700
>      browseable = no
>      csc policy = disable
> Also, if '/exports/profiles/' is an NFS share, I would stop using it.
> Finally, are you aware that 'public' is a synonym for 'guest ok' ?
> Where you have this in '[printers]'
>      public = yes
>      guest ok = no
> You are allowing guest access and then immediately stopping it.
> Rowland

More information about the samba mailing list