If this is a customer rather than your employer you may find that you need to just part ways, which I know isn't easy. If you provide a customer with your professional advice, and they choose to ignore it, then I think you can't really help them. Is the customer using XP for all client machines or just select machines that may run some legacy app? Do you have at least one Win 7 machine? I would validate the connections with the win 7 machine before you start trying to fix XP. That would at least prove that the server is correct and XP is the problem. If this is a "classic" domain controller then you DO have to use NTLM (but definately NOT lanman.) If XP supports NTLMv2 then I think it will negotiate that with Samba. I think Microsoft released patches for XP for WanaCry, even tho XP is otherwise unsupported. So some of the security concerns are partially mitigated. Although you should make sure that the antivirus is enabled and that the machine is ONLY used for the absolutely essential functions (no web browsing, no e-mail.) Some of the default "signing" options in smb.conf may have changed with the newer versions of samba. You may need to turn "server signing" , "client signing" and "client ipc signing" to off. You may also want to check the server and client min and max protocol options on samba. XP may have problems with SMB2. Can you try using smbpasswd or pdbedit to precreate the machine accounts ? I found sometimes certain attributes weren't properly created when joining machines to domains. On 09/30/17 03:58, Rowland Penny via samba wrote:> On Fri, 29 Sep 2017 18:27:29 -0700 > ToddAndMargo via samba <samba at lists.samba.org> wrote: > >> Dear list, >> >> Help! >> >> I just upgrade a samba server. >> >> Server: >> Fedora 26 >> samba-4.6.8-0.fc26.x86_64 >> >> Workstations (5 of them): >> XP Pro SP3 >> >> The old server was set up as a Domain controller. I copied the >> smb.conf over to the new server. >> >> The XP workstations can see and mount everything. >> >> On the workstations, I removed myself from the old domain and >> rebooted, powered off the old server, reattached to the domain. >> >> Problem: when I log into the domain, I get the following in my error >> log and I get a stinking TEMP directory/profile. >> >> Event Type: Error >> Event Source: AutoEnrollment >> Event Category: None >> Event ID: 15 >> Date: 9/29/2017 >> Time: 4:33:10 PM >> User: N/A >> Computer: CURTIS-SCREW >> Description: >> Automatic certificate enrollment for local system failed to contact >> the active directory (0x8007054b). The specified domain either does >> not exist or could not be contacted. >> Enrollment will not be performed. >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> >> >> Removing the temp profile for the registry and erasing the >> TEMP director from Doc and Setting and rebooting does not help. >> >> What am I doing wrong? >> > Quite a few things ;-) > > I understand that you have to use XP, but you don't have to use NTLM, > haven't you heard of 'wanacry' ? > Go here and read it: http://www.imss.caltech.edu/node/396 > > Then you can remove these lines: > > lanman auth = yes > ntlm auth = yes > > Why have you got these lines ? it isn't an AD DC > > dns forwarder = 192.168.255.12 > allow dns updates = nonsecure > > Is 'winbind' running ? if it isn't you do not need these lines: > > idmap config * : backend = tdb # > idmap config * : range = 1000000-1999999 > > If it is running, they are not set up correctly. > > I would change 'name resolve order = host' to 'name resolve order > wins host bcast' > > I would try this for the profiles: > > [profiles] > path = /exports/profiles/ > read only = no > create mask = 0600 > directory mask = 0700 > browseable = no > csc policy = disable > > Also, if '/exports/profiles/' is an NFS share, I would stop using it. > > Finally, are you aware that 'public' is a synonym for 'guest ok' ? > Where you have this in '[printers]' > > public = yes > guest ok = no > > You are allowing guest access and then immediately stopping it. > > Rowland >
On 09/30/2017 08:21 AM, Gaiseric Vandal via samba wrote:> If this is a customer rather than your employer you may find that you > need to just part ways, which I know isn't easy. If you provide a > customer with your professional advice, and they choose to ignore it, > then I think you can't really help them.Hi Gaiseric, Easier said than done. We are still suffering from the endless recession out in these parts, although things have started to SLOWLY change over the last 10 months. If I do not accommodate the customer's wishes, I will not be able to feed my family. And replacing the customer is impossible in this business climate. Bear in mind that I am considered a unnecessary expense to be eliminated. At least this customer has not accused me of writing viruses so I can charge to remove them. I am between a rock and a hard place. I either fix this or lose my shirt.> > Is the customer using XP for all client machines or just select machines > that may run some legacy app?The app will run on any version of Windows. The reason for the XP is that the customer doesn't believe in fixing what ain't broke. (That is a conspiracy to separate him from his money don't you know).> > Do you have at least one Win 7 machine?Not a single one!> I would validate the > connections with the win 7 machine before you start trying to fix > XP. That would at least prove that the server is correct and XP is > the problem. > > > If this is a "classic" domain controller then you DO have to use NTLM > (but definately NOT lanman.) If XP supports NTLMv2 then I think it > will negotiate that with Samba. I think Microsoft released patches > for XP for WanaCry, even tho XP is otherwise unsupported. So some of > the security concerns are partially mitigated. Although you should > make sure that the antivirus is enabled and that the machine is ONLY > used for the absolutely essential functions (no web browsing, no e-mail.) > > Some of the default "signing" options in smb.conf may have changed with > the newer versions of samba. You may need to turn "server signing" , > "client signing" and "client ipc signing" to off. You may also want to > check the server and client min and max protocol options on samba. XP > may have problems with SMB2. > > > Can you try using smbpasswd or pdbedit to precreate the machine > accounts ? I found sometimes certain attributes weren't properly > created when joining machines to domains.I used smbpasswd. And I am using DDNS (Dynamic Domain Name Service). Each computer showed up in both my forward and reverse tables. I am not much of a fan of Domain Controllers. This is five computers and I just don't see that it is worth the effort for any "perceived" extra functionality. So I am slowly reverting them back to a workgroup Thank you for the help! -T Oh and this server (Fedora 26) is an upgrade from his old CentOS 5 server. Talk about out-of-date!
Am 01.10.2017 um 22:43 schrieb ToddAndMargo via samba:>> Is the customer using XP for all client machines or just select >> machines that may run some legacy app? > > The app will run on any version of Windows. The reason for the XP > is that the customer doesn't believe in fixing what ain't brokeit's your job to epxlain him *it is broken* because windows XP is completly out of support and nothing else than a lottery in production
On Sun, 1 Oct 2017 13:43:32 -0700 ToddAndMargo via samba <samba at lists.samba.org> wrote:> On 09/30/2017 08:21 AM, Gaiseric Vandal via samba wrote: > > If this is a customer rather than your employer you may find that > > you need to just part ways, which I know isn't easy. If you > > provide a customer with your professional advice, and they choose > > to ignore it, then I think you can't really help them. > > Hi Gaiseric, > > Easier said than done. We are still suffering from the endless > recession out in these parts, although things have started to > SLOWLY change over the last 10 months. If I do not accommodate > the customer's wishes, I will not be able to feed my family. And > replacing the customer is impossible in this business climate. > Bear in mind that I am considered a unnecessary expense to be > eliminated. At least this customer has not accused me of writing > viruses so I can charge to remove them. I am between a rock and > a hard place. I either fix this or lose my shirt. >I understand where you are coming from, you have to earn a living and you have to do what your customer wants. You can advise till you are blue in the face, but sometimes the customer just doesn't hear you.> > > > Is the customer using XP for all client machines or just select > > machines that may run some legacy app? > > The app will run on any version of Windows. The reason for the XP > is that the customer doesn't believe in fixing what ain't broke. > (That is a conspiracy to separate him from his money don't you know). >Unfortunately, this isn't a rare occurrence and it isn't only customers that don't want to invest in new equipment or software. I once had a discussion with a software supplier about upgrading their main package to run on Windows 7 (this was about 10 months before XP went EOL), His reply was something along the lines of 'Don't bother, Microsoft wont EOL XP, and if they do, you can still use it'. Look where that got us, 'wanacry'> > > > Do you have at least one Win 7 machine? > > Not a single one! > > > I would validate the > > connections with the win 7 machine before you start trying to fix > > XP. That would at least prove that the server is correct and XP > > is the problem. > > > > > > If this is a "classic" domain controller then you DO have to use > > NTLM (but definately NOT lanman.) If XP supports NTLMv2 then I > > think it will negotiate that with Samba. I think Microsoft > > released patches for XP for WanaCry, even tho XP is otherwise > > unsupported. So some of the security concerns are partially > > mitigated. Although you should make sure that the antivirus is > > enabled and that the machine is ONLY used for the absolutely > > essential functions (no web browsing, no e-mail.) > > > > Some of the default "signing" options in smb.conf may have changed > > with the newer versions of samba. You may need to turn "server > > signing" , "client signing" and "client ipc signing" to off. You > > may also want to check the server and client min and max protocol > > options on samba. XP may have problems with SMB2. > > > > > > Can you try using smbpasswd or pdbedit to precreate the machine > > accounts ? I found sometimes certain attributes weren't properly > > created when joining machines to domains. > > I used smbpasswd. And I am using DDNS (Dynamic Domain Name Service). > Each computer showed up in both my forward and reverse tables. > > I am not much of a fan of Domain Controllers. This is five computers > and I just don't see that it is worth the effort for any "perceived" > extra functionality. So I am slowly reverting them back to a > workgroup >I almost suggested doing this when you said there was only 5 machines, It is probably the best thing you can do. Your main trouble was that you went with a PDC rather than an AD DC, but for 5 machines, either was overkill, especially if they are all in the same location. Rowland