Dear list,
Help!
I just upgrade a samba server.
Server:
Fedora 26
samba-4.6.8-0.fc26.x86_64
Workstations (5 of them):
XP Pro SP3
The old server was set up as a Domain controller. I copied the
smb.conf over to the new server.
The XP workstations can see and mount everything.
On the workstations, I removed myself from the old domain and rebooted,
powered off the old server, reattached to the domain.
Problem: when I log into the domain, I get the following in my error log
and I get a stinking TEMP directory/profile.
Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 15
Date: 9/29/2017
Time: 4:33:10 PM
User: N/A
Computer: CURTIS-SCREW
Description:
Automatic certificate enrollment for local system failed to contact the
active directory (0x8007054b). The specified domain either does not
exist or could not be contacted.
Enrollment will not be performed.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Removing the temp profile for the registry and erasing the
TEMP director from Doc and Setting and rebooting does not help.
What am I doing wrong?
-T
my smb.conf:
[global]
workgroup = xxxxx
server string = Fedora Samba Server
volume = Fedora Core, %v
comment = Samba (NetBIOS) Server on FedoraServer.xxxx.com
netbios name = FedoraServer
dns forwarder = 192.168.255.12
allow dns updates = nonsecure
interfaces = eno1 127.0.0.1
hosts deny = ALL
hosts allow = 192.168.255. 127.0.0.
lanman auth = yes
ntlm auth = yes
printcap name = /etc/printcap
show add printer wizard = No
load printers = yes
printing = BSD
guest account = pcguest
log file = /var/log/samba/samba-log.%m
log level = 4 passdb:10 auth:10
follow symlinks = yes
wide links = no
locking = yes
strict locking = no
security = user
smb passwd file = /etc/samba/smbpasswd
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passdb backend = smbpasswd
username map = /etc/samba/smbusers
os level = 64
domain logons = yes
domain master = yes
local master = yes
preferred master = yes
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
add user script = /usr/sbin/useradd -m -G users '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -A '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d
/var/lib/nobody '%u'
logon script = scripts/logon.bat
logon path = /exports/netlogon
logon drive = X:
wins support = yes
name resolve order = host
dns proxy = yes
deadtime = 20160
force create mode = 0000
create mode = 0777
force directory mode = 0000
directory mode = 0777
map archive = yes
map system = yes
map hidden = yes
[profiles]
# https://www.ccs.uky.edu/docs/samba.htm
# create mode = 0600
# directory mode = 0700
create mode = 0777
directory mode = 0777
path = /exports/profiles/
profile acls = yes
read only = no
writable = yes
[public]
comment = Public on xxxxx FedoraServer -- Mount as F:
path = /exports/public
valid users = @users
write list = @users
force group = users
force user = public
locking = yes
oplocks = no
fake oplocks = no
level2 oplocks = no
strict locking = no
blocking locks = no
public = no
writable = yes
printable = no
browseable = yes
create mode = 0777
force directory mode = 0000
directory mode = 0777
map archive = yes
map system = yes
map hidden = yes
[homes]
comment = %u.%G' Home/Documents Directory -- Typically mount as G: (UH)
path=/home/%u/Documents
valid users = @users
write list = @users
read only = no
create mode = 0750
public = no
writable = yes
printable = no
browseable = no
create mode = 0777
force directory mode = 0000
directory mode = 0777
map archive = yes
map system = yes
map hidden = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public = yes
guest ok = no
writeable = no
printable = yes
[netlogon]
comment = Network Logon Service (X:)
path = /exports/netlogon
public = no
writeable = no
# set browable to "no" if you don't want everyone to be able
to
browse the scripts
browsable = yes
Am 30.09.2017 um 03:27 schrieb ToddAndMargo via samba:> I just upgrade a samba server. > > Server: > Fedora 26 > samba-4.6.8-0.fc26.x86_64 > > Workstations (5 of them): > XP Pro SP3 > > What am I doing wrong?running Windows XP in 2017 and upgrade anything else
On 09/29/2017 06:40 PM, Reindl Harald via samba wrote:> > > Am 30.09.2017 um 03:27 schrieb ToddAndMargo via samba: >> I just upgrade a samba server. >> >> Server: >> Fedora 26 >> samba-4.6.8-0.fc26.x86_64 >> >> Workstations (5 of them): >> XP Pro SP3 >> >> What am I doing wrong? > > running Windows XP in 2017 and upgrade anything elseI have no choice. I must get this working. I have no control over what the customer decided to do with his money. I am lucky he even decided to upgrade the server.
On Fri, 29 Sep 2017 18:27:29 -0700 ToddAndMargo via samba <samba at lists.samba.org> wrote:> Dear list, > > Help! > > I just upgrade a samba server. > > Server: > Fedora 26 > samba-4.6.8-0.fc26.x86_64 > > Workstations (5 of them): > XP Pro SP3 > > The old server was set up as a Domain controller. I copied the > smb.conf over to the new server. > > The XP workstations can see and mount everything. > > On the workstations, I removed myself from the old domain and > rebooted, powered off the old server, reattached to the domain. > > Problem: when I log into the domain, I get the following in my error > log and I get a stinking TEMP directory/profile. > > Event Type: Error > Event Source: AutoEnrollment > Event Category: None > Event ID: 15 > Date: 9/29/2017 > Time: 4:33:10 PM > User: N/A > Computer: CURTIS-SCREW > Description: > Automatic certificate enrollment for local system failed to contact > the active directory (0x8007054b). The specified domain either does > not exist or could not be contacted. > Enrollment will not be performed. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > > Removing the temp profile for the registry and erasing the > TEMP director from Doc and Setting and rebooting does not help. > > What am I doing wrong? >Quite a few things ;-) I understand that you have to use XP, but you don't have to use NTLM, haven't you heard of 'wanacry' ? Go here and read it: http://www.imss.caltech.edu/node/396 Then you can remove these lines: lanman auth = yes ntlm auth = yes Why have you got these lines ? it isn't an AD DC dns forwarder = 192.168.255.12 allow dns updates = nonsecure Is 'winbind' running ? if it isn't you do not need these lines: idmap config * : backend = tdb # idmap config * : range = 1000000-1999999 If it is running, they are not set up correctly. I would change 'name resolve order = host' to 'name resolve order wins host bcast' I would try this for the profiles: [profiles] path = /exports/profiles/ read only = no create mask = 0600 directory mask = 0700 browseable = no csc policy = disable Also, if '/exports/profiles/' is an NFS share, I would stop using it. Finally, are you aware that 'public' is a synonym for 'guest ok' ? Where you have this in '[printers]' public = yes guest ok = no You are allowing guest access and then immediately stopping it. Rowland
If this is a customer rather than your employer you may find that you need to just part ways, which I know isn't easy. If you provide a customer with your professional advice, and they choose to ignore it, then I think you can't really help them. Is the customer using XP for all client machines or just select machines that may run some legacy app? Do you have at least one Win 7 machine? I would validate the connections with the win 7 machine before you start trying to fix XP. That would at least prove that the server is correct and XP is the problem. If this is a "classic" domain controller then you DO have to use NTLM (but definately NOT lanman.) If XP supports NTLMv2 then I think it will negotiate that with Samba. I think Microsoft released patches for XP for WanaCry, even tho XP is otherwise unsupported. So some of the security concerns are partially mitigated. Although you should make sure that the antivirus is enabled and that the machine is ONLY used for the absolutely essential functions (no web browsing, no e-mail.) Some of the default "signing" options in smb.conf may have changed with the newer versions of samba. You may need to turn "server signing" , "client signing" and "client ipc signing" to off. You may also want to check the server and client min and max protocol options on samba. XP may have problems with SMB2. Can you try using smbpasswd or pdbedit to precreate the machine accounts ? I found sometimes certain attributes weren't properly created when joining machines to domains. On 09/30/17 03:58, Rowland Penny via samba wrote:> On Fri, 29 Sep 2017 18:27:29 -0700 > ToddAndMargo via samba <samba at lists.samba.org> wrote: > >> Dear list, >> >> Help! >> >> I just upgrade a samba server. >> >> Server: >> Fedora 26 >> samba-4.6.8-0.fc26.x86_64 >> >> Workstations (5 of them): >> XP Pro SP3 >> >> The old server was set up as a Domain controller. I copied the >> smb.conf over to the new server. >> >> The XP workstations can see and mount everything. >> >> On the workstations, I removed myself from the old domain and >> rebooted, powered off the old server, reattached to the domain. >> >> Problem: when I log into the domain, I get the following in my error >> log and I get a stinking TEMP directory/profile. >> >> Event Type: Error >> Event Source: AutoEnrollment >> Event Category: None >> Event ID: 15 >> Date: 9/29/2017 >> Time: 4:33:10 PM >> User: N/A >> Computer: CURTIS-SCREW >> Description: >> Automatic certificate enrollment for local system failed to contact >> the active directory (0x8007054b). The specified domain either does >> not exist or could not be contacted. >> Enrollment will not be performed. >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> >> >> Removing the temp profile for the registry and erasing the >> TEMP director from Doc and Setting and rebooting does not help. >> >> What am I doing wrong? >> > Quite a few things ;-) > > I understand that you have to use XP, but you don't have to use NTLM, > haven't you heard of 'wanacry' ? > Go here and read it: http://www.imss.caltech.edu/node/396 > > Then you can remove these lines: > > lanman auth = yes > ntlm auth = yes > > Why have you got these lines ? it isn't an AD DC > > dns forwarder = 192.168.255.12 > allow dns updates = nonsecure > > Is 'winbind' running ? if it isn't you do not need these lines: > > idmap config * : backend = tdb # > idmap config * : range = 1000000-1999999 > > If it is running, they are not set up correctly. > > I would change 'name resolve order = host' to 'name resolve order > wins host bcast' > > I would try this for the profiles: > > [profiles] > path = /exports/profiles/ > read only = no > create mask = 0600 > directory mask = 0700 > browseable = no > csc policy = disable > > Also, if '/exports/profiles/' is an NFS share, I would stop using it. > > Finally, are you aware that 'public' is a synonym for 'guest ok' ? > Where you have this in '[printers]' > > public = yes > guest ok = no > > You are allowing guest access and then immediately stopping it. > > Rowland >
If this is a customer rather than your employer you may find that you need to just part ways, which I know isn't easy. If you provide a customer with your professional advice, and they choose to ignore it, then I think you can't really help them. Is the customer using XP for all client machines or just select machines that may run some legacy app? Do you have at least one Win 7 machine? I would validate the connections with the win 7 machine before you start trying to fix XP. That would at least prove that the server is correct and XP is the problem. If this is a "classic" domain controller then you DO have to use NTLM (but definately NOT lanman.) If XP supports NTLMv2 then I think it will negotiate that with Samba. I think Microsoft released patches for XP for WanaCry, even tho XP is otherwise unsupported. So some of the security concerns are partially mitigated. Although you should make sure that the antivirus is enabled and that the machine is ONLY used for the absolutely essential functions (no web browsing, no e-mail.) Some of the default "signing" options in smb.conf may have changed with the newer versions of samba. You may need to turn "server signing" , "client signing" and "client ipc signing" to off. You may also want to check the server and client min and max protocol options on samba. XP may have problems with SMB2. Can you try using smbpasswd or pdbedit to precreate the machine accounts ? I found sometimes certain attributes weren't properly created when joining machines to domains. On 09/30/17 03:58, Rowland Penny via samba wrote:> On Fri, 29 Sep 2017 18:27:29 -0700 > ToddAndMargo via samba <samba at lists.samba.org> wrote: > >> Dear list, >> >> Help! >> >> I just upgrade a samba server. >> >> Server: >> Fedora 26 >> samba-4.6.8-0.fc26.x86_64 >> >> Workstations (5 of them): >> XP Pro SP3 >> >> The old server was set up as a Domain controller. I copied the >> smb.conf over to the new server. >> >> The XP workstations can see and mount everything. >> >> On the workstations, I removed myself from the old domain and >> rebooted, powered off the old server, reattached to the domain. >> >> Problem: when I log into the domain, I get the following in my error >> log and I get a stinking TEMP directory/profile. >> >> Event Type: Error >> Event Source: AutoEnrollment >> Event Category: None >> Event ID: 15 >> Date: 9/29/2017 >> Time: 4:33:10 PM >> User: N/A >> Computer: CURTIS-SCREW >> Description: >> Automatic certificate enrollment for local system failed to contact >> the active directory (0x8007054b). The specified domain either does >> not exist or could not be contacted. >> Enrollment will not be performed. >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> >> >> Removing the temp profile for the registry and erasing the >> TEMP director from Doc and Setting and rebooting does not help. >> >> What am I doing wrong? >> > Quite a few things ;-) > > I understand that you have to use XP, but you don't have to use NTLM, > haven't you heard of 'wanacry' ? > Go here and read it: http://www.imss.caltech.edu/node/396 > > Then you can remove these lines: > > lanman auth = yes > ntlm auth = yes > > Why have you got these lines ? it isn't an AD DC > > dns forwarder = 192.168.255.12 > allow dns updates = nonsecure > > Is 'winbind' running ? if it isn't you do not need these lines: > > idmap config * : backend = tdb # > idmap config * : range = 1000000-1999999 > > If it is running, they are not set up correctly. > > I would change 'name resolve order = host' to 'name resolve order > wins host bcast' > > I would try this for the profiles: > > [profiles] > path = /exports/profiles/ > read only = no > create mask = 0600 > directory mask = 0700 > browseable = no > csc policy = disable > > Also, if '/exports/profiles/' is an NFS share, I would stop using it. > > Finally, are you aware that 'public' is a synonym for 'guest ok' ? > Where you have this in '[printers]' > > public = yes > guest ok = no > > You are allowing guest access and then immediately stopping it. > > Rowland >
On 09/30/2017 12:58 AM, Rowland Penny via samba wrote:> On Fri, 29 Sep 2017 18:27:29 -0700 > ToddAndMargo via samba <samba at lists.samba.org> wrote: > >> Dear list, >> >> Help! >> >> I just upgrade a samba server. >> >> Server: >> Fedora 26 >> samba-4.6.8-0.fc26.x86_64 >> >> Workstations (5 of them): >> XP Pro SP3 >> >> The old server was set up as a Domain controller. I copied the >> smb.conf over to the new server. >> >> The XP workstations can see and mount everything. >> >> On the workstations, I removed myself from the old domain and >> rebooted, powered off the old server, reattached to the domain. >> >> Problem: when I log into the domain, I get the following in my error >> log and I get a stinking TEMP directory/profile. >> >> Event Type: Error >> Event Source: AutoEnrollment >> Event Category: None >> Event ID: 15 >> Date: 9/29/2017 >> Time: 4:33:10 PM >> User: N/A >> Computer: CURTIS-SCREW >> Description: >> Automatic certificate enrollment for local system failed to contact >> the active directory (0x8007054b). The specified domain either does >> not exist or could not be contacted. >> Enrollment will not be performed. >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> >> >> Removing the temp profile for the registry and erasing the >> TEMP director from Doc and Setting and rebooting does not help. >> >> What am I doing wrong? >> > > Quite a few things ;-) > > I understand that you have to use XP, but you don't have to use NTLM, > haven't you heard of 'wanacry' ? > Go here and read it: http://www.imss.caltech.edu/node/396 > > Then you can remove these lines: > > lanman auth = yes > ntlm auth = yes > > Why have you got these lines ? it isn't an AD DC > > dns forwarder = 192.168.255.12 > allow dns updates = nonsecure > > Is 'winbind' running ? if it isn't you do not need these lines: > > idmap config * : backend = tdb # > idmap config * : range = 1000000-1999999 > > If it is running, they are not set up correctly. > > I would change 'name resolve order = host' to 'name resolve order > wins host bcast' > > I would try this for the profiles: > > [profiles] > path = /exports/profiles/ > read only = no > create mask = 0600 > directory mask = 0700 > browseable = no > csc policy = disable > > Also, if '/exports/profiles/' is an NFS share, I would stop using it. > > Finally, are you aware that 'public' is a synonym for 'guest ok' ? > Where you have this in '[printers]' > > public = yes > guest ok = no > > You are allowing guest access and then immediately stopping it. > > Rowland >Hi Rowland, Thank you! Okay, this is a bit humiliating. I have a bunch of clean up to do. Was there any one mistake I made in particular that would be causing the TEMP profile problem? Many thanks, -T
Seems to be an old problem http://www.eventid.net/display-eventid-15-source-AutoEnrollment-eventno-1397-phase-1.htm Am 30.09.2017 um 03:27 schrieb ToddAndMargo via samba:> Dear list, > > Help! > > I just upgrade a samba server. > > Server: > Fedora 26 > samba-4.6.8-0.fc26.x86_64 > > Workstations (5 of them): > XP Pro SP3 > > The old server was set up as a Domain controller. I copied the > smb.conf over to the new server. > > The XP workstations can see and mount everything. > > On the workstations, I removed myself from the old domain and rebooted, > powered off the old server, reattached to the domain. > > Problem: when I log into the domain, I get the following in my error > log and I get a stinking TEMP directory/profile. > > Event Type: Error > Event Source: AutoEnrollment > Event Category: None > Event ID: 15 > Date: 9/29/2017 > Time: 4:33:10 PM > User: N/A > Computer: CURTIS-SCREW > Description: > Automatic certificate enrollment for local system failed to contact > the active directory (0x8007054b). The specified domain either does > not exist or could not be contacted. > Enrollment will not be performed. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > > Removing the temp profile for the registry and erasing the > TEMP director from Doc and Setting and rebooting does not help. > > What am I doing wrong? > > -T > > my smb.conf: > > [global] > workgroup = xxxxx > server string = Fedora Samba Server > volume = Fedora Core, %v > comment = Samba (NetBIOS) Server on FedoraServer.xxxx.com > netbios name = FedoraServer > dns forwarder = 192.168.255.12 > allow dns updates = nonsecure > interfaces = eno1 127.0.0.1 > hosts deny = ALL > hosts allow = 192.168.255. 127.0.0. > lanman auth = yes > ntlm auth = yes > printcap name = /etc/printcap > show add printer wizard = No > load printers = yes > printing = BSD > guest account = pcguest > log file = /var/log/samba/samba-log.%m > log level = 4 passdb:10 auth:10 > follow symlinks = yes > wide links = no > locking = yes > strict locking = no > security = user > smb passwd file = /etc/samba/smbpasswd > unix password sync = Yes > passwd program = /usr/bin/passwd %u > passdb backend = smbpasswd > username map = /etc/samba/smbusers > os level = 64 > domain logons = yes > domain master = yes > local master = yes > preferred master = yes > idmap config * : backend = tdb > idmap config * : range = 1000000-1999999 > add user script = /usr/sbin/useradd -m -G users '%u' > delete user script = /usr/sbin/userdel -r '%u' > add group script = /usr/sbin/groupadd '%g' > delete group script = /usr/sbin/groupdel '%g' > add user to group script = /usr/sbin/usermod -A '%g' '%u' > add machine script = /usr/sbin/useradd -s /bin/false -d > /var/lib/nobody '%u' > logon script = scripts/logon.bat > logon path = /exports/netlogon > logon drive = X: > wins support = yes > name resolve order = host > dns proxy = yes > deadtime = 20160 > force create mode = 0000 > create mode = 0777 > force directory mode = 0000 > directory mode = 0777 > map archive = yes > map system = yes > map hidden = yes > > [profiles] > # https://www.ccs.uky.edu/docs/samba.htm > # create mode = 0600 > # directory mode = 0700 > create mode = 0777 > directory mode = 0777 > path = /exports/profiles/ > profile acls = yes > read only = no > writable = yes > > [public] > comment = Public on xxxxx FedoraServer -- Mount as F: > path = /exports/public > valid users = @users > write list = @users > force group = users > force user = public > locking = yes > oplocks = no > fake oplocks = no > level2 oplocks = no > strict locking = no > blocking locks = no > public = no > writable = yes > printable = no > browseable = yes > create mode = 0777 > force directory mode = 0000 > directory mode = 0777 > map archive = yes > map system = yes > map hidden = yes > > [homes] > comment = %u.%G' Home/Documents Directory -- Typically mount as G: > (UH) > path=/home/%u/Documents > valid users = @users > write list = @users > read only = no > create mode = 0750 > public = no > writable = yes > printable = no > browseable = no > > create mode = 0777 > force directory mode = 0000 > directory mode = 0777 > map archive = yes > map system = yes > map hidden = yes > > [printers] > comment = All Printers > path = /var/spool/samba > browseable = no > public = yes > guest ok = no > writeable = no > printable = yes > > [netlogon] > comment = Network Logon Service (X:) > path = /exports/netlogon > public = no > writeable = no > # set browable to "no" if you don't want everyone to be able to > browse the scripts > browsable = yes > > > > > > >
On 10/01/2017 03:06 PM, Achim Gottinger via samba wrote:> Seems to be an old problem > > http://www.eventid.net/display-eventid-15-source-AutoEnrollment-eventno-1397-phase-1.htmI found that one. I googled my tail end off. Every solution others came up with did not work for me.
On 09/30/2017 12:58 AM, Rowland Penny via samba wrote:> I understand that you have to use XP, but you don't have to use NTLM, > haven't you heard of 'wanacry' ? > Go here and read it:http://www.imss.caltech.edu/node/396WannaCry did not infect XP or for that matter, Windows Nein, oops, Ten. Doesn't mean it couldn't if altered to do so: Reference: https://www.computerworld.com/article/3196673/malware/faq-are-you-in-danger-from-the-wannacrypt-ransomware.html Why didn’t WannaCry infect Windows XP or 10 computers? Because the responsible for Friday’s attacks used code from several sources, and researchers have determined that the code used didn't include functions for Windows XP or Windows 10. (Britain’s National Health Service has said its WinXP PCs were not infected by WannaCry, despite initial reports that they were.) M$ has since issued patches for XP. M$'s patches/updates can be miserable and cause all kinds of havoc. It is a judgment call on when and how to install M$'s patches/updates. It is best to make sure you have a good anti-virus updated and running. Your AV is where most of your protection comes from, not M$ with its miserable track record for security. And use a "real" firewall. This patch is a good.