XP auto enrollment error; TEMP profile

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

XP auto enrollment error; TEMP profile

Samba - General mailing list
Dear list,

Help!

I just upgrade a samba server.

Server:
    Fedora 26
    samba-4.6.8-0.fc26.x86_64

Workstations (5 of them):
    XP Pro SP3

The old server was set up as a Domain controller.  I copied the
smb.conf over to the new server.

The XP workstations can see and mount everything.

On the workstations, I removed myself from the old domain and rebooted,
powered off the old server, reattached to the domain.

Problem: when I log into the domain, I get the following in my error log
and I get a stinking TEMP directory/profile.

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 15
Date: 9/29/2017
Time: 4:33:10 PM
User: N/A
Computer: CURTIS-SCREW
Description:
Automatic certificate enrollment for local system failed to contact the
active directory (0x8007054b).  The specified domain either does not
exist or could not be contacted.
   Enrollment will not be performed.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Removing the temp profile for the registry and erasing the
TEMP director from Doc and Setting and rebooting does not help.

What am I doing wrong?

-T

my smb.conf:

[global]
    workgroup = xxxxx
    server string = Fedora Samba Server
    volume = Fedora Core, %v
    comment = Samba (NetBIOS) Server on FedoraServer.xxxx.com
    netbios name = FedoraServer
    dns forwarder = 192.168.255.12
    allow dns updates = nonsecure
    interfaces = eno1 127.0.0.1
    hosts deny = ALL
    hosts allow = 192.168.255. 127.0.0.
    lanman auth = yes
    ntlm auth = yes
    printcap name = /etc/printcap
    show add printer wizard = No
    load printers = yes
    printing = BSD
    guest account = pcguest
    log file = /var/log/samba/samba-log.%m
    log level = 4 passdb:10 auth:10
    follow symlinks = yes
    wide links = no
    locking = yes
    strict locking = no
    security = user
    smb passwd file = /etc/samba/smbpasswd
    unix password sync = Yes
    passwd program = /usr/bin/passwd %u
    passdb backend = smbpasswd
    username map = /etc/samba/smbusers
     os level = 64
     domain logons = yes
     domain master = yes
     local master = yes
     preferred master = yes
    idmap config * : backend        = tdb
    idmap config * : range          = 1000000-1999999
    add user script = /usr/sbin/useradd -m -G users '%u'
    delete user script = /usr/sbin/userdel -r '%u'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    add user to group script = /usr/sbin/usermod -A '%g' '%u'
    add machine script = /usr/sbin/useradd -s /bin/false -d
/var/lib/nobody '%u'
    logon script = scripts/logon.bat
    logon path = /exports/netlogon
    logon drive = X:
    wins support = yes
    name resolve order = host
    dns proxy = yes
    deadtime = 20160
    force create mode = 0000
    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes

[profiles]
    # https://www.ccs.uky.edu/docs/samba.htm
    # create mode = 0600
    # directory mode = 0700
    create mode = 0777
    directory mode = 0777
    path = /exports/profiles/
    profile acls = yes
    read only = no
    writable = yes

[public]
    comment = Public on xxxxx FedoraServer -- Mount as F:
    path = /exports/public
    valid users = @users
    write list = @users
    force group = users
    force user = public
    locking = yes
    oplocks = no
    fake oplocks = no
    level2 oplocks = no
    strict locking = no
    blocking locks = no
    public = no
    writable = yes
    printable = no
    browseable = yes
    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes

[homes]
    comment = %u.%G' Home/Documents Directory -- Typically mount as G: (UH)
    path=/home/%u/Documents
    valid users = @users
    write list = @users
    read only = no
    create mode = 0750
    public = no
    writable = yes
    printable = no
    browseable = no

    create mode = 0777
    force directory mode = 0000
    directory mode = 0777
    map archive = yes
    map system = yes
    map hidden = yes

[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    public = yes
    guest ok = no
    writeable = no
    printable = yes

[netlogon]
    comment = Network Logon Service (X:)
    path = /exports/netlogon
    public = no
    writeable = no
    # set browable to "no" if you don't want everyone to be able to
browse the scripts
    browsable = yes







--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list


Am 30.09.2017 um 03:27 schrieb ToddAndMargo via samba:

> I just upgrade a samba server.
>
> Server:
>     Fedora 26
>     samba-4.6.8-0.fc26.x86_64
>
> Workstations (5 of them):
>     XP Pro SP3
>
> What am I doing wrong?

running Windows XP in 2017 and upgrade anything else

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
On 09/29/2017 06:40 PM, Reindl Harald via samba wrote:

>
>
> Am 30.09.2017 um 03:27 schrieb ToddAndMargo via samba:
>> I just upgrade a samba server.
>>
>> Server:
>>     Fedora 26
>>     samba-4.6.8-0.fc26.x86_64
>>
>> Workstations (5 of them):
>>     XP Pro SP3
>>
>> What am I doing wrong?
>
> running Windows XP in 2017 and upgrade anything else

I have no choice.  I must get this working.  I have
no control over what the customer decided to do
with his money.  I am lucky he even decided
to upgrade the server.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 29 Sep 2017 18:27:29 -0700
ToddAndMargo via samba <[hidden email]> wrote:

> Dear list,
>
> Help!
>
> I just upgrade a samba server.
>
> Server:
>     Fedora 26
>     samba-4.6.8-0.fc26.x86_64
>
> Workstations (5 of them):
>     XP Pro SP3
>
> The old server was set up as a Domain controller.  I copied the
> smb.conf over to the new server.
>
> The XP workstations can see and mount everything.
>
> On the workstations, I removed myself from the old domain and
> rebooted, powered off the old server, reattached to the domain.
>
> Problem: when I log into the domain, I get the following in my error
> log and I get a stinking TEMP directory/profile.
>
> Event Type: Error
> Event Source: AutoEnrollment
> Event Category: None
> Event ID: 15
> Date: 9/29/2017
> Time: 4:33:10 PM
> User: N/A
> Computer: CURTIS-SCREW
> Description:
> Automatic certificate enrollment for local system failed to contact
> the active directory (0x8007054b).  The specified domain either does
> not exist or could not be contacted.
>    Enrollment will not be performed.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Removing the temp profile for the registry and erasing the
> TEMP director from Doc and Setting and rebooting does not help.
>
> What am I doing wrong?
>

Quite a few things ;-)

I understand that you have to use XP, but you don't have to use NTLM,
haven't you heard of 'wanacry' ?
Go here and read it: http://www.imss.caltech.edu/node/396

Then you can remove these lines:

    lanman auth = yes
    ntlm auth = yes

Why have you got these lines ? it isn't an AD DC

    dns forwarder = 192.168.255.12
    allow dns updates = nonsecure

Is 'winbind' running ? if it isn't you do not need these lines:

    idmap config * : backend        = tdb #
    idmap config * : range          = 1000000-1999999

If it is running, they are not set up correctly.

I would change 'name resolve order = host' to 'name resolve order =
wins host bcast'

I would try this for the profiles:

[profiles]
    path = /exports/profiles/
    read only = no
    create mask = 0600
    directory mask = 0700
    browseable = no
    csc policy = disable

Also, if '/exports/profiles/' is an NFS share, I would stop using it.

Finally, are you aware that 'public' is a synonym for 'guest ok' ?
Where you have this in '[printers]'

    public = yes
    guest ok = no

You are allowing guest access and then immediately stopping it.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
If this is a customer rather than your employer you may find that you
need to just part ways, which I know isn't easy.   If you provide a
customer with your professional advice, and they choose to ignore it,
then I think you can't really help them.

Is the customer using XP for all client machines or just select machines
that may run some legacy app?

Do you have at least one Win 7 machine?   I would validate the
connections with the win 7 machine before you start trying to fix
XP.     That would at least prove that the server is correct and XP is
the problem.


If this is a "classic" domain controller then you DO have to use NTLM
(but definately NOT lanman.)      If XP supports NTLMv2 then I think it
will negotiate that with Samba.     I think Microsoft released patches
for XP for WanaCry, even tho XP is otherwise unsupported.  So some of
the security concerns are partially mitigated.     Although you should
make sure that the  antivirus is enabled  and that the machine is ONLY
used for the absolutely essential functions (no web browsing, no e-mail.)

Some of the default "signing" options in smb.conf may have changed with
the newer versions of samba.  You may need to turn "server signing" ,
"client signing" and "client ipc signing" to off. You may also want to
check the server and client min and max protocol options on samba.     
XP may have problems with SMB2.


Can you try using smbpasswd  or pdbedit to precreate the machine
accounts ?   I found sometimes certain attributes weren't properly
created when joining machines to domains.







On 09/30/17 03:58, Rowland Penny via samba wrote:

> On Fri, 29 Sep 2017 18:27:29 -0700
> ToddAndMargo via samba <[hidden email]> wrote:
>
>> Dear list,
>>
>> Help!
>>
>> I just upgrade a samba server.
>>
>> Server:
>>      Fedora 26
>>      samba-4.6.8-0.fc26.x86_64
>>
>> Workstations (5 of them):
>>      XP Pro SP3
>>
>> The old server was set up as a Domain controller.  I copied the
>> smb.conf over to the new server.
>>
>> The XP workstations can see and mount everything.
>>
>> On the workstations, I removed myself from the old domain and
>> rebooted, powered off the old server, reattached to the domain.
>>
>> Problem: when I log into the domain, I get the following in my error
>> log and I get a stinking TEMP directory/profile.
>>
>> Event Type: Error
>> Event Source: AutoEnrollment
>> Event Category: None
>> Event ID: 15
>> Date: 9/29/2017
>> Time: 4:33:10 PM
>> User: N/A
>> Computer: CURTIS-SCREW
>> Description:
>> Automatic certificate enrollment for local system failed to contact
>> the active directory (0x8007054b).  The specified domain either does
>> not exist or could not be contacted.
>>     Enrollment will not be performed.
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>>
>> Removing the temp profile for the registry and erasing the
>> TEMP director from Doc and Setting and rebooting does not help.
>>
>> What am I doing wrong?
>>
> Quite a few things ;-)
>
> I understand that you have to use XP, but you don't have to use NTLM,
> haven't you heard of 'wanacry' ?
> Go here and read it: http://www.imss.caltech.edu/node/396
>
> Then you can remove these lines:
>
>      lanman auth = yes
>      ntlm auth = yes
>
> Why have you got these lines ? it isn't an AD DC
>
>      dns forwarder = 192.168.255.12
>      allow dns updates = nonsecure
>
> Is 'winbind' running ? if it isn't you do not need these lines:
>
>      idmap config * : backend        = tdb #
>      idmap config * : range          = 1000000-1999999
>
> If it is running, they are not set up correctly.
>
> I would change 'name resolve order = host' to 'name resolve order =
> wins host bcast'
>
> I would try this for the profiles:
>
> [profiles]
>      path = /exports/profiles/
>      read only = no
>      create mask = 0600
>      directory mask = 0700
>      browseable = no
>      csc policy = disable
>
> Also, if '/exports/profiles/' is an NFS share, I would stop using it.
>
> Finally, are you aware that 'public' is a synonym for 'guest ok' ?
> Where you have this in '[printers]'
>
>      public = yes
>      guest ok = no
>
> You are allowing guest access and then immediately stopping it.
>
> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
In reply to this post by Samba - General mailing list
If this is a customer rather than your employer you may find that you
need to just part ways, which I know isn't easy.   If you provide a
customer with your professional advice, and they choose to ignore it,
then I think you can't really help them.

Is the customer using XP for all client machines or just select machines
that may run some legacy app?

Do you have at least one Win 7 machine?   I would validate the
connections with the win 7 machine before you start trying to fix
XP.     That would at least prove that the server is correct and XP is
the problem.


If this is a "classic" domain controller then you DO have to use NTLM
(but definately NOT lanman.)      If XP supports NTLMv2 then I think it
will negotiate that with Samba.     I think Microsoft released patches
for XP for WanaCry, even tho XP is otherwise unsupported.  So some of
the security concerns are partially mitigated.     Although you should
make sure that the  antivirus is enabled  and that the machine is ONLY
used for the absolutely essential functions (no web browsing, no e-mail.)

Some of the default "signing" options in smb.conf may have changed with
the newer versions of samba.  You may need to turn "server signing" ,
"client signing" and "client ipc signing" to off. You may also want to
check the server and client min and max protocol options on samba.     
XP may have problems with SMB2.


Can you try using smbpasswd  or pdbedit to precreate the machine
accounts ?   I found sometimes certain attributes weren't properly
created when joining machines to domains.







On 09/30/17 03:58, Rowland Penny via samba wrote:

> On Fri, 29 Sep 2017 18:27:29 -0700
> ToddAndMargo via samba <[hidden email]> wrote:
>
>> Dear list,
>>
>> Help!
>>
>> I just upgrade a samba server.
>>
>> Server:
>>      Fedora 26
>>      samba-4.6.8-0.fc26.x86_64
>>
>> Workstations (5 of them):
>>      XP Pro SP3
>>
>> The old server was set up as a Domain controller.  I copied the
>> smb.conf over to the new server.
>>
>> The XP workstations can see and mount everything.
>>
>> On the workstations, I removed myself from the old domain and
>> rebooted, powered off the old server, reattached to the domain.
>>
>> Problem: when I log into the domain, I get the following in my error
>> log and I get a stinking TEMP directory/profile.
>>
>> Event Type: Error
>> Event Source: AutoEnrollment
>> Event Category: None
>> Event ID: 15
>> Date: 9/29/2017
>> Time: 4:33:10 PM
>> User: N/A
>> Computer: CURTIS-SCREW
>> Description:
>> Automatic certificate enrollment for local system failed to contact
>> the active directory (0x8007054b).  The specified domain either does
>> not exist or could not be contacted.
>>     Enrollment will not be performed.
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>>
>> Removing the temp profile for the registry and erasing the
>> TEMP director from Doc and Setting and rebooting does not help.
>>
>> What am I doing wrong?
>>
> Quite a few things ;-)
>
> I understand that you have to use XP, but you don't have to use NTLM,
> haven't you heard of 'wanacry' ?
> Go here and read it: http://www.imss.caltech.edu/node/396
>
> Then you can remove these lines:
>
>      lanman auth = yes
>      ntlm auth = yes
>
> Why have you got these lines ? it isn't an AD DC
>
>      dns forwarder = 192.168.255.12
>      allow dns updates = nonsecure
>
> Is 'winbind' running ? if it isn't you do not need these lines:
>
>      idmap config * : backend        = tdb #
>      idmap config * : range          = 1000000-1999999
>
> If it is running, they are not set up correctly.
>
> I would change 'name resolve order = host' to 'name resolve order =
> wins host bcast'
>
> I would try this for the profiles:
>
> [profiles]
>      path = /exports/profiles/
>      read only = no
>      create mask = 0600
>      directory mask = 0700
>      browseable = no
>      csc policy = disable
>
> Also, if '/exports/profiles/' is an NFS share, I would stop using it.
>
> Finally, are you aware that 'public' is a synonym for 'guest ok' ?
> Where you have this in '[printers]'
>
>      public = yes
>      guest ok = no
>
> You are allowing guest access and then immediately stopping it.
>
> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
On 09/30/2017 08:21 AM, Gaiseric Vandal via samba wrote:
> If this is a customer rather than your employer you may find that you
> need to just part ways, which I know isn't easy.   If you provide a
> customer with your professional advice, and they choose to ignore it,
> then I think you can't really help them.

Hi Gaiseric,

Easier said than done.  We are still suffering from the endless
recession out in these parts, although things have started to
SLOWLY change over the last 10 months.  If I do not accommodate
the customer's wishes, I will not be able to feed my family.  And
replacing the customer is impossible in this business  climate.
Bear in mind that I am considered a unnecessary expense to be
eliminated.  At least this customer has not accused me of writing
viruses so I can charge to remove them.  I am between a rock and
a hard place.  I either fix this or lose my shirt.

>
> Is the customer using XP for all client machines or just select machines
> that may run some legacy app?

The app will run on any version of Windows.  The reason for the XP
is that the customer doesn't believe in fixing what ain't broke.
(That is a conspiracy to separate him from his money don't you know).

>
> Do you have at least one Win 7 machine?  

Not a single one!

> I would validate the
> connections with the win 7 machine before you start trying to fix
> XP.     That would at least prove that the server is correct and XP is
> the problem.
>
>
> If this is a "classic" domain controller then you DO have to use NTLM
> (but definately NOT lanman.)      If XP supports NTLMv2 then I think it
> will negotiate that with Samba.     I think Microsoft released patches
> for XP for WanaCry, even tho XP is otherwise unsupported.  So some of
> the security concerns are partially mitigated.     Although you should
> make sure that the  antivirus is enabled  and that the machine is ONLY
> used for the absolutely essential functions (no web browsing, no e-mail.)
>
> Some of the default "signing" options in smb.conf may have changed with
> the newer versions of samba.  You may need to turn "server signing" ,
> "client signing" and "client ipc signing" to off. You may also want to
> check the server and client min and max protocol options on samba. XP
> may have problems with SMB2.
>
>
> Can you try using smbpasswd  or pdbedit to precreate the machine
> accounts ?   I found sometimes certain attributes weren't properly
> created when joining machines to domains.

I used smbpasswd.   And I am using DDNS (Dynamic Domain Name Service).
Each computer showed up in both my forward and reverse tables.

I am not much of a fan of Domain Controllers.  This is five computers
and I just don't see that it is worth the effort for any "perceived"
extra functionality.    So I am slowly reverting them back to a
workgroup

Thank you for the help!

-T

Oh and this server (Fedora 26) is an upgrade from his old
CentOS 5 server.  Talk about out-of-date!



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list


Am 01.10.2017 um 22:43 schrieb ToddAndMargo via samba:
>> Is the customer using XP for all client machines or just select
>> machines that may run some legacy app?
>
> The app will run on any version of Windows.  The reason for the XP
> is that the customer doesn't believe in fixing what ain't broke

it's your job to epxlain him *it is broken* because windows XP is
completly out of support and nothing else than a lottery in production


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 09/30/2017 12:58 AM, Rowland Penny via samba wrote:

> On Fri, 29 Sep 2017 18:27:29 -0700
> ToddAndMargo via samba <[hidden email]> wrote:
>
>> Dear list,
>>
>> Help!
>>
>> I just upgrade a samba server.
>>
>> Server:
>>      Fedora 26
>>      samba-4.6.8-0.fc26.x86_64
>>
>> Workstations (5 of them):
>>      XP Pro SP3
>>
>> The old server was set up as a Domain controller.  I copied the
>> smb.conf over to the new server.
>>
>> The XP workstations can see and mount everything.
>>
>> On the workstations, I removed myself from the old domain and
>> rebooted, powered off the old server, reattached to the domain.
>>
>> Problem: when I log into the domain, I get the following in my error
>> log and I get a stinking TEMP directory/profile.
>>
>> Event Type: Error
>> Event Source: AutoEnrollment
>> Event Category: None
>> Event ID: 15
>> Date: 9/29/2017
>> Time: 4:33:10 PM
>> User: N/A
>> Computer: CURTIS-SCREW
>> Description:
>> Automatic certificate enrollment for local system failed to contact
>> the active directory (0x8007054b).  The specified domain either does
>> not exist or could not be contacted.
>>     Enrollment will not be performed.
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>>
>> Removing the temp profile for the registry and erasing the
>> TEMP director from Doc and Setting and rebooting does not help.
>>
>> What am I doing wrong?
>>
>
> Quite a few things ;-)
>
> I understand that you have to use XP, but you don't have to use NTLM,
> haven't you heard of 'wanacry' ?
> Go here and read it: http://www.imss.caltech.edu/node/396
>
> Then you can remove these lines:
>
>      lanman auth = yes
>      ntlm auth = yes
>
> Why have you got these lines ? it isn't an AD DC
>
>      dns forwarder = 192.168.255.12
>      allow dns updates = nonsecure
>
> Is 'winbind' running ? if it isn't you do not need these lines:
>
>      idmap config * : backend        = tdb #
>      idmap config * : range          = 1000000-1999999
>
> If it is running, they are not set up correctly.
>
> I would change 'name resolve order = host' to 'name resolve order =
> wins host bcast'
>
> I would try this for the profiles:
>
> [profiles]
>      path = /exports/profiles/
>      read only = no
>      create mask = 0600
>      directory mask = 0700
>      browseable = no
>      csc policy = disable
>
> Also, if '/exports/profiles/' is an NFS share, I would stop using it.
>
> Finally, are you aware that 'public' is a synonym for 'guest ok' ?
> Where you have this in '[printers]'
>
>      public = yes
>      guest ok = no
>
> You are allowing guest access and then immediately stopping it.
>
> Rowland
>


Hi Rowland,

Thank you!

Okay, this is a bit humiliating.  I have a bunch of clean up
to do.

Was there any one mistake I made in particular that would
be causing the TEMP profile problem?


Many thanks,
-T


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sun, 1 Oct 2017 13:43:32 -0700
ToddAndMargo via samba <[hidden email]> wrote:

> On 09/30/2017 08:21 AM, Gaiseric Vandal via samba wrote:
> > If this is a customer rather than your employer you may find that
> > you need to just part ways, which I know isn't easy.   If you
> > provide a customer with your professional advice, and they choose
> > to ignore it, then I think you can't really help them.
>
> Hi Gaiseric,
>
> Easier said than done.  We are still suffering from the endless
> recession out in these parts, although things have started to
> SLOWLY change over the last 10 months.  If I do not accommodate
> the customer's wishes, I will not be able to feed my family.  And
> replacing the customer is impossible in this business  climate.
> Bear in mind that I am considered a unnecessary expense to be
> eliminated.  At least this customer has not accused me of writing
> viruses so I can charge to remove them.  I am between a rock and
> a hard place.  I either fix this or lose my shirt.
>

I understand where you are coming from, you have to earn a living and
you have to do what your customer wants. You can advise till you are
blue in the face, but sometimes the customer just doesn't hear you.

> >
> > Is the customer using XP for all client machines or just select
> > machines that may run some legacy app?
>
> The app will run on any version of Windows.  The reason for the XP
> is that the customer doesn't believe in fixing what ain't broke.
> (That is a conspiracy to separate him from his money don't you know).
>

Unfortunately, this isn't a rare occurrence and it isn't only
customers that don't want to invest in new equipment or software. I
once had a discussion with a software supplier about upgrading their
main package to run on Windows 7 (this was about 10 months before XP
went EOL), His reply was something along the lines of 'Don't bother,
Microsoft wont EOL XP, and if they do, you can still use it'. Look
where that got us, 'wanacry'
 

> >
> > Do you have at least one Win 7 machine?  
>
> Not a single one!
>
> > I would validate the
> > connections with the win 7 machine before you start trying to fix
> > XP.     That would at least prove that the server is correct and XP
> > is the problem.
> >
> >
> > If this is a "classic" domain controller then you DO have to use
> > NTLM (but definately NOT lanman.)      If XP supports NTLMv2 then I
> > think it will negotiate that with Samba.     I think Microsoft
> > released patches for XP for WanaCry, even tho XP is otherwise
> > unsupported.  So some of the security concerns are partially
> > mitigated.     Although you should make sure that the  antivirus is
> > enabled  and that the machine is ONLY used for the absolutely
> > essential functions (no web browsing, no e-mail.)
> >
> > Some of the default "signing" options in smb.conf may have changed
> > with the newer versions of samba.  You may need to turn "server
> > signing" , "client signing" and "client ipc signing" to off. You
> > may also want to check the server and client min and max protocol
> > options on samba. XP may have problems with SMB2.
> >
> >
> > Can you try using smbpasswd  or pdbedit to precreate the machine
> > accounts ?   I found sometimes certain attributes weren't properly
> > created when joining machines to domains.
>
> I used smbpasswd.   And I am using DDNS (Dynamic Domain Name Service).
> Each computer showed up in both my forward and reverse tables.
>
> I am not much of a fan of Domain Controllers.  This is five computers
> and I just don't see that it is worth the effort for any "perceived"
> extra functionality.    So I am slowly reverting them back to a
> workgroup
>

I almost suggested doing this when you said there was only 5
machines, It is probably the best thing you can do. Your main trouble
was that you went with a PDC rather than an AD DC, but for 5 machines,
either was overkill, especially if they are all in the same location.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sun, 1 Oct 2017 22:52:36 +0200
Reindl Harald via samba <[hidden email]> wrote:

>
>
> Am 01.10.2017 um 22:43 schrieb ToddAndMargo via samba:
> >> Is the customer using XP for all client machines or just select
> >> machines that may run some legacy app?
> >
> > The app will run on any version of Windows.  The reason for the XP
> > is that the customer doesn't believe in fixing what ain't broke
>
> it's your job to epxlain him *it is broken* because windows XP is
> completly out of support and nothing else than a lottery in production
>

I get the distinct feeling that this has been tried, but sometimes you
just have to do what you are told with what you are given.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sun, 1 Oct 2017 14:00:34 -0700
ToddAndMargo via samba <[hidden email]> wrote:

> On 09/30/2017 12:58 AM, Rowland Penny via samba wrote:
> > On Fri, 29 Sep 2017 18:27:29 -0700
> > ToddAndMargo via samba <[hidden email]> wrote:
> >
> >> Dear list,
> >>
> >> Help!
> >>
> >> I just upgrade a samba server.
> >>
> >> Server:
> >>      Fedora 26
> >>      samba-4.6.8-0.fc26.x86_64
> >>
> >> Workstations (5 of them):
> >>      XP Pro SP3
> >>
> >> The old server was set up as a Domain controller.  I copied the
> >> smb.conf over to the new server.
> >>
> >> The XP workstations can see and mount everything.
> >>
> >> On the workstations, I removed myself from the old domain and
> >> rebooted, powered off the old server, reattached to the domain.
> >>
> >> Problem: when I log into the domain, I get the following in my
> >> error log and I get a stinking TEMP directory/profile.
> >>
> >> Event Type: Error
> >> Event Source: AutoEnrollment
> >> Event Category: None
> >> Event ID: 15
> >> Date: 9/29/2017
> >> Time: 4:33:10 PM
> >> User: N/A
> >> Computer: CURTIS-SCREW
> >> Description:
> >> Automatic certificate enrollment for local system failed to contact
> >> the active directory (0x8007054b).  The specified domain either
> >> does not exist or could not be contacted.
> >>     Enrollment will not be performed.
> >>
> >> For more information, see Help and Support Center at
> >> http://go.microsoft.com/fwlink/events.asp.
> >>
> >>
> >> Removing the temp profile for the registry and erasing the
> >> TEMP director from Doc and Setting and rebooting does not help.
> >>
> >> What am I doing wrong?
> >>
> >
> > Quite a few things ;-)
> >
> > I understand that you have to use XP, but you don't have to use
> > NTLM, haven't you heard of 'wanacry' ?
> > Go here and read it: http://www.imss.caltech.edu/node/396
> >
> > Then you can remove these lines:
> >
> >      lanman auth = yes
> >      ntlm auth = yes
> >
> > Why have you got these lines ? it isn't an AD DC
> >
> >      dns forwarder = 192.168.255.12
> >      allow dns updates = nonsecure
> >
> > Is 'winbind' running ? if it isn't you do not need these lines:
> >
> >      idmap config * : backend        = tdb #
> >      idmap config * : range          = 1000000-1999999
> >
> > If it is running, they are not set up correctly.
> >
> > I would change 'name resolve order = host' to 'name resolve order =
> > wins host bcast'
> >
> > I would try this for the profiles:
> >
> > [profiles]
> >      path = /exports/profiles/
> >      read only = no
> >      create mask = 0600
> >      directory mask = 0700
> >      browseable = no
> >      csc policy = disable
> >
> > Also, if '/exports/profiles/' is an NFS share, I would stop using
> > it.
> >
> > Finally, are you aware that 'public' is a synonym for 'guest ok' ?
> > Where you have this in '[printers]'
> >
> >      public = yes
> >      guest ok = no
> >
> > You are allowing guest access and then immediately stopping it.
> >
> > Rowland
> >
>
>
> Hi Rowland,
>
> Thank you!
>
> Okay, this is a bit humiliating.  I have a bunch of clean up
> to do.
>
> Was there any one mistake I made in particular that would
> be causing the TEMP profile problem?
>

Not sure, probably the way the profiles share was set up, but if you
are, as you have said, moving to a workgroup, you wont need the
profiles.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
In reply to this post by Samba - General mailing list


Am 01.10.2017 um 23:19 schrieb Rowland Penny via samba:

> On Sun, 1 Oct 2017 22:52:36 +0200
> Reindl Harald via samba <[hidden email]> wrote:
>
>>
>>
>> Am 01.10.2017 um 22:43 schrieb ToddAndMargo via samba:
>>>> Is the customer using XP for all client machines or just select
>>>> machines that may run some legacy app?
>>>
>>> The app will run on any version of Windows.  The reason for the XP
>>> is that the customer doesn't believe in fixing what ain't broke
>>
>> it's your job to epxlain him *it is broken* because windows XP is
>> completly out of support and nothing else than a lottery in production
>>
>
> I get the distinct feeling that this has been tried, but sometimes you
> just have to do what you are told with what you are given

i am fully aware that this is not so easy in every case

but when i am the IT guy and i take responsibility the stuff is running
i can not and will not setup something where i know doing so would be
irresponsible and nothing else than a timebomb and when it explodes i
have to suck collecting the pieces

frankly "Windows XP" - which braindead idiots are using still such
outdated crap, that was somehow rencent (and not brand new) when i
changed to work in the IT and is now nearly *10 years* ago when i
decided to never touch any Microsoft OS in the future and even don't
support any Windows machine within my own family

*10 years* and we talk about *IT and not museum*

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
In reply to this post by Samba - General mailing list
Seems to be an old problem

http://www.eventid.net/display-eventid-15-source-AutoEnrollment-eventno-1397-phase-1.htm


Am 30.09.2017 um 03:27 schrieb ToddAndMargo via samba:

> Dear list,
>
> Help!
>
> I just upgrade a samba server.
>
> Server:
>    Fedora 26
>    samba-4.6.8-0.fc26.x86_64
>
> Workstations (5 of them):
>    XP Pro SP3
>
> The old server was set up as a Domain controller.  I copied the
> smb.conf over to the new server.
>
> The XP workstations can see and mount everything.
>
> On the workstations, I removed myself from the old domain and rebooted,
> powered off the old server, reattached to the domain.
>
> Problem: when I log into the domain, I get the following in my error
> log and I get a stinking TEMP directory/profile.
>
> Event Type:    Error
> Event Source:    AutoEnrollment
> Event Category:    None
> Event ID:    15
> Date:        9/29/2017
> Time:        4:33:10 PM
> User:        N/A
> Computer:    CURTIS-SCREW
> Description:
> Automatic certificate enrollment for local system failed to contact
> the active directory (0x8007054b).  The specified domain either does
> not exist or could not be contacted.
>   Enrollment will not be performed.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Removing the temp profile for the registry and erasing the
> TEMP director from Doc and Setting and rebooting does not help.
>
> What am I doing wrong?
>
> -T
>
> my smb.conf:
>
> [global]
>    workgroup = xxxxx
>    server string = Fedora Samba Server
>    volume = Fedora Core, %v
>    comment = Samba (NetBIOS) Server on FedoraServer.xxxx.com
>    netbios name = FedoraServer
>    dns forwarder = 192.168.255.12
>    allow dns updates = nonsecure
>    interfaces = eno1 127.0.0.1
>    hosts deny = ALL
>    hosts allow = 192.168.255. 127.0.0.
>    lanman auth = yes
>    ntlm auth = yes
>    printcap name = /etc/printcap
>    show add printer wizard = No
>    load printers = yes
>    printing = BSD
>    guest account = pcguest
>    log file = /var/log/samba/samba-log.%m
>    log level = 4 passdb:10 auth:10
>    follow symlinks = yes
>    wide links = no
>    locking = yes
>    strict locking = no
>    security = user
>    smb passwd file = /etc/samba/smbpasswd
>    unix password sync = Yes
>    passwd program = /usr/bin/passwd %u
>    passdb backend = smbpasswd
>    username map = /etc/samba/smbusers
>     os level = 64
>     domain logons = yes
>     domain master = yes
>     local master = yes
>     preferred master = yes
>    idmap config * : backend        = tdb
>    idmap config * : range          = 1000000-1999999
>    add user script = /usr/sbin/useradd -m -G users '%u'
>    delete user script = /usr/sbin/userdel -r '%u'
>    add group script = /usr/sbin/groupadd '%g'
>    delete group script = /usr/sbin/groupdel '%g'
>    add user to group script = /usr/sbin/usermod -A '%g' '%u'
>    add machine script = /usr/sbin/useradd -s /bin/false -d
> /var/lib/nobody '%u'
>    logon script = scripts/logon.bat
>    logon path = /exports/netlogon
>    logon drive = X:
>    wins support = yes
>    name resolve order = host
>    dns proxy = yes
>    deadtime = 20160
>    force create mode = 0000
>    create mode = 0777
>    force directory mode = 0000
>    directory mode = 0777
>    map archive = yes
>    map system = yes
>    map hidden = yes
>
> [profiles]
>    # https://www.ccs.uky.edu/docs/samba.htm
>    # create mode = 0600
>    # directory mode = 0700
>    create mode = 0777
>    directory mode = 0777
>    path = /exports/profiles/
>    profile acls = yes
>    read only = no
>    writable = yes
>
> [public]
>    comment = Public on xxxxx FedoraServer -- Mount as F:
>    path = /exports/public
>    valid users = @users
>    write list = @users
>    force group = users
>    force user = public
>    locking = yes
>    oplocks = no
>    fake oplocks = no
>    level2 oplocks = no
>    strict locking = no
>    blocking locks = no
>    public = no
>    writable = yes
>    printable = no
>    browseable = yes
>    create mode = 0777
>    force directory mode = 0000
>    directory mode = 0777
>    map archive = yes
>    map system = yes
>    map hidden = yes
>
> [homes]
>    comment = %u.%G' Home/Documents Directory -- Typically mount as G:
> (UH)
>    path=/home/%u/Documents
>    valid users = @users
>    write list = @users
>    read only = no
>    create mode = 0750
>    public = no
>    writable = yes
>    printable = no
>    browseable = no
>
>    create mode = 0777
>    force directory mode = 0000
>    directory mode = 0777
>    map archive = yes
>    map system = yes
>    map hidden = yes
>
> [printers]
>    comment = All Printers
>    path = /var/spool/samba
>    browseable = no
>    public = yes
>    guest ok = no
>    writeable = no
>    printable = yes
>
> [netlogon]
>    comment = Network Logon Service (X:)
>    path = /exports/netlogon
>    public = no
>    writeable = no
>    # set browable to "no" if you don't want everyone to be able to
> browse the scripts
>    browsable = yes
>
>
>
>
>
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 10/01/2017 02:19 PM, Rowland Penny via samba wrote:

> On Sun, 1 Oct 2017 22:52:36 +0200
> Reindl Harald via samba <[hidden email]> wrote:
>
>>
>>
>> Am 01.10.2017 um 22:43 schrieb ToddAndMargo via samba:
>>>> Is the customer using XP for all client machines or just select
>>>> machines that may run some legacy app?
>>>
>>> The app will run on any version of Windows.  The reason for the XP
>>> is that the customer doesn't believe in fixing what ain't broke
>>
>> it's your job to epxlain him *it is broken* because windows XP is
>> completly out of support and nothing else than a lottery in production
>>
>
> I get the distinct feeling that this has been tried, but sometimes you
> just have to do what you are told with what you are given.
>
> Rowland
>
>
>

You nailed it.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computers are like air conditioners.
They malfunction when you open windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 10/01/2017 03:06 PM, Achim Gottinger via samba wrote:
> Seems to be an old problem
>
> http://www.eventid.net/display-eventid-15-source-AutoEnrollment-eventno-1397-phase-1.htm

I found that one.

I googled my tail end off.  Every solution others came up with did not
work for me.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list


Am 02.10.2017 um 01:46 schrieb ToddAndMargo via samba:

> On 10/01/2017 03:06 PM, Achim Gottinger via samba wrote:
>> Seems to be an old problem
>>
>> http://www.eventid.net/display-eventid-15-source-AutoEnrollment-eventno-1397-phase-1.htm 
>>
>
> I found that one.
>
> I googled my tail end off.  Every solution others came up with did not
> work for me.
>
>
I assume the autoenrollment error is just an sideeffect of your problem
nd does not cause the profile error.
You can try to enable logon debugging on xp, to see what's going on.

http://www.inetdaemon.com/q-and-a/troubleshooting-windows-logon-problems/



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
On 10/01/2017 05:22 PM, Achim Gottinger via samba wrote:

>
>
> Am 02.10.2017 um 01:46 schrieb ToddAndMargo via samba:
>> On 10/01/2017 03:06 PM, Achim Gottinger via samba wrote:
>>> Seems to be an old problem
>>>
>>> http://www.eventid.net/display-eventid-15-source-AutoEnrollment-eventno-1397-phase-1.htm 
>>>
>>
>> I found that one.
>>
>> I googled my tail end off.  Every solution others came up with did not
>> work for me.
>>
>>
> I assume the autoenrollment error is just an sideeffect of your problem
> nd does not cause the profile error.
> You can try to enable logon debugging on xp, to see what's going on.
>
> http://www.inetdaemon.com/q-and-a/troubleshooting-windows-logon-problems/
>
>
>

Sweet,  Thank you!
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computers are like air conditioners.
They malfunction when you open windows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 09/30/2017 12:58 AM, Rowland Penny via samba wrote:
> I understand that you have to use XP, but you don't have to use NTLM,
> haven't you heard of 'wanacry' ?
> Go here and read it:http://www.imss.caltech.edu/node/396

WannaCry did not infect XP or for that matter, Windows Nein,
oops, Ten.  Doesn't mean it couldn't if altered to do so:

      Reference:
https://www.computerworld.com/article/3196673/malware/faq-are-you-in-danger-from-the-wannacrypt-ransomware.html

      Why didn’t WannaCry infect Windows XP or 10 computers?

      Because the responsible for Friday’s attacks used code
      from several sources, and researchers have determined
      that the code used didn't include functions for Windows
      XP or Windows 10. (Britain’s National Health Service
      has said its WinXP PCs were not infected by WannaCry,
      despite initial reports that they were.)

M$ has since issued patches for XP.

M$'s patches/updates can be miserable and cause all kinds
of havoc.  It is a judgment call on when and how to install
M$'s patches/updates.  It is best to make sure you have a good
anti-virus updated and running.  Your AV is where most
of your protection comes from, not M$ with its miserable
track record for security.  And use a "real" firewall.

This patch is a good.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: XP auto enrollment error; TEMP profile

Samba - General mailing list

Am 02.10.2017 um 06:35 schrieb ToddAndMargo via samba:
> M$'s patches/updates can be miserable and cause all kinds
> of havoc.  It is a judgment call on when and how to install
> M$'s patches/updates.  It is best to make sure you have a good
> anti-virus updated and running.  Your AV is where most
> of your protection comes from, not M$ with its miserable
> track record for security.  And use a "real" firewall

sorry, but everybody in the security business when he is not developer
of snakeoil aka anti-virus will tell you the exactly opposite

there is nothing like a "good anti-virus" which will protect you from new treats, new incarnations slip through signatures before new signatures are published and nothing to protect you from targeted attacks

also i wouldn't make a bet that windows XP has the highest priority in testing and composing new signatures

sorry but to say it clear: to think a anti-virus can replace a solid operating system is a naive and dangerous attitude

with some luck malware was not tested on XP and won't run by luck because of the too small usrbase these days but when that is your security strategy you better install win98 because XP is not old enough and too similar to win7

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12