On 10/02/2017 12:32 AM, Reindl Harald via samba wrote:> > > Am 02.10.2017 um 07:25 schrieb ToddAndMargo via samba: >> On 10/01/2017 10:03 PM, Reindl Harald (mobile) via samba wrote: >>> sorry but to say it clear: to think a anti-virus can replace a solid >>> operating system is a naive and dangerous attitude >>> >> >> Uhhh, Why do you not look at infections rates instead of >> marketing FUD. WannaCry did not even touch XP. > > so what - beause one specific malware did not proves nothingThe "So What" is the aggregate, not a single instance. You missed my point.> >> Not looking at this from an infection rate standpoint and, >> instead, believing what the marketing weasels at M$ tell >> you is far more dangerous in my technical opinion. > > you seem to confuse me with someone else - i don't use any microsoft > stuff for a decade now and i am grown enough to not write M$ > >> That XP is so insecure is a lot of FUD. Again, look at the >> infection rates if you want to know what that truth is and >> not marketing FUD. > > no wonder because nobody right in his brain is using XP any longer on > machines connected with a networkAgain, it is the aggregate.
The auto enrollment messages seems to be indicate that the client machine thinks it is connecting to an AD domain. The profile messages is indicative of a domain membership problem, whether or not you are using roaming profiles. Workgroup method is probably simplest- although my past experience was that even at 5 machines managing multiple users on multiple machines gets tricky. In theory, you have 30 passwords to set. If most people only use computer then this is less of an issue. For a small domain, I think the "classic PDC" cane simpler than a Samba AD domain controller. However I have not actually tried implementing a samba AD domain controller primarily because it would not play well in our environment. Also, it relies Heimdal Kerberos, which is not included in fedora. I don't think the XP problems here are related to classic vs AD. That being said, I do understand that the "classic" domain model is not a long term solution. No specifically a samba issue but remember the idea of "defense in depth." Many people think "I have a firewall, my network is safe" and "I have antivirus, my PC's are safe." You need a mix client antivirus, system patching, application updates, backups, e-mail spam filtering, and user education. None of these have to be expensive. I think you can still run free Sophos AV on XP. Make sure no one is logging in with admin rights. The biggest threat vector- at least in my work- seems to be e-mail (either with malicious attachments or phishing links.) Anyway, that is my pitch from my soap box. You can take it or leave it. As the old machines wear out, the XP issue will solve itself. On 10/02/17 10:01, ToddAndMargo via samba wrote:> On 10/02/2017 12:32 AM, Reindl Harald via samba wrote: >> >> >> Am 02.10.2017 um 07:25 schrieb ToddAndMargo via samba: >>> On 10/01/2017 10:03 PM, Reindl Harald (mobile) via samba wrote: >>>> sorry but to say it clear: to think a anti-virus can replace a >>>> solid operating system is a naive and dangerous attitude >>>> >>> >>> Uhhh, Why do you not look at infections rates instead of >>> marketing FUD. WannaCry did not even touch XP. >> >> so what - beause one specific malware did not proves nothing > > The "So What" is the aggregate, not a single instance. You > missed my point. > >> >>> Not looking at this from an infection rate standpoint and, >>> instead, believing what the marketing weasels at M$ tell >>> you is far more dangerous in my technical opinion. >> >> you seem to confuse me with someone else - i don't use any microsoft >> stuff for a decade now and i am grown enough to not write M$ >> >>> That XP is so insecure is a lot of FUD. Again, look at the >>> infection rates if you want to know what that truth is and >>> not marketing FUD. >> >> no wonder because nobody right in his brain is using XP any longer on >> machines connected with a network > > Again, it is the aggregate. > > >
On Mon, 2 Oct 2017 10:37:34 -0400 Gaiseric Vandal via samba <samba at lists.samba.org> wrote:> The auto enrollment messages seems to be indicate that the client > machine thinks it is connecting to an AD domain. > > The profile messages is indicative of a domain membership problem, > whether or not you are using roaming profiles. > > Workgroup method is probably simplest- although my past experience > was that even at 5 machines managing multiple users on multiple > machines gets tricky. In theory, you have 30 passwords to set. > If most people only use computer then this is less of an issue.Try doing this with 12 machines with multiple users on most of the PCs, spread over a large area. 5 machines is easy ;-)> > For a small domain, I think the "classic PDC" cane simpler than a > Samba AD domain controller. However I have not actually tried > implementing a samba AD domain controller primarily because it would > not play well in our environment. Also, it relies Heimdal > Kerberos, which is not included in fedora. I don't think the XP > problems here are related to classic vs AD. That being said, I do > understand that the "classic" domain model is not a long term > solution.Believe me, when you get over the initial setup, an AD DC is easier, in this case, a new AD domain would be simple, it is the classupgrade that gives the most problems.> > > No specifically a samba issue but remember the idea of "defense in > depth." Many people think "I have a firewall, my network is safe" > and "I have antivirus, my PC's are safe." You need a mix client > antivirus, system patching, application updates, backups, e-mail spam > filtering, and user education. None of these have to be > expensive. I think you can still run free Sophos AV on XP. Make > sure no one is logging in with admin rights. The biggest threat > vector- at least in my work- seems to be e-mail (either with > malicious attachments or phishing links.) Anyway, that is my pitch > from my soap box. You can take it or leave it.All good advice.> > > As the old machines wear out, the XP issue will solve itself.I wouldn't bank on it, I have dealt with people like the OPs customer, and they will do anything to cut costs, including buying old computers. Rowland
On 10/02/2017 07:37 AM, Gaiseric Vandal via samba wrote:> The auto enrollment messages seems to be indicate that the client > machine thinks it is connecting to an AD domain. > > The profile messages is indicative of a domain membership problem, > whether or not you are using roaming profiles. > > Workgroup method is probably simplest- although my past experience was > that even at 5 machines managing multiple users on multiple machines > gets tricky. In theory, you have 30 passwords to set. If most > people only use computer then this is less of an issue.Hi Gaiseric, They only sit at their own machines. On the rare occasion that they sit on someone else's, they just use the other person's account. They specifically have it set up that way. They even see everyone else's eMail (love iMap) by design. (If a customer writes for something and the recipient is out for the day, others automatically respond.) Since I have to go to each machine and to set up either the workgroup or a domain, it is the same amount of work. I create a logon.bat script that I copy to everyone's start up that mounts all their network drive with the right drive letters. That helps a lot. And I set their "My Documents" to their "homes" drive.> For a small domain, I think the "classic PDC" cane simpler than a Samba > AD domain controller. However I have not actually tried implementing a > samba AD domain controller primarily because it would not play well in > our environment. Also, it relies Heimdal Kerberos, which is not > included in fedora. I don't think the XP problems here are related to > classic vs AD. That being said, I do understand that the "classic" > domain model is not a long term solution. > > > No specifically a samba issue but remember the idea of "defense in > depth." Many people think "I have a firewall, my network is safe" and > "I have antivirus, my PC's are safe." You need a mix client > antivirus, system patching, application updates, backups, e-mail spam > filtering, and user education. None of these have to be expensive. > I think you can still run free Sophos AV on XP. Make sure no one > is logging in with admin rights. The biggest threat vector- at > least in my work- seems to be e-mail (either with malicious attachments > or phishing links.) Anyway, that is my pitch from my soap box. You can > take it or leave it.1+ I also consult of PCI (credit card security). Under "D", it is full out security. I add (required by PCI) File Integrity Monitoring (FIM) software to the mix. Lets me know EVERYTHING that gets changed on the computer. It takes the user's about a month to realize that too. And about three stern lectures from their managers about playing video poker on the Point-of-Sale machines. Chuckle! (I keep trying to get their managers to get a second off point of sale network leg computer for their other required Internet work, but ...) Kaspersky's End Point Security Workstation-10.2.5.3201 still supports XP. It is excellent. It also has a software out-of-date scanner (poorly labeled "vulnerability scanner"), which is also required by PCI. I have Kaspersky set to eMail the managers when it catches anything. K's business line also have good America based tech support. (Their home product tech support stinks.) Disclaimer: I am a Kaspersky reseller. (Yes, they are well aware of my opinion of the home product support.)> As the old machines wear out, the XP issue will solve itself.And now we have a problem. On a box store computer this would be the case. But these are custom high reliability computer hand build by me. The initial cost is about 30% higher than a store bought computer, but the cost of ownership is maybe 1/4 to 1/10 of a box store computer. This is based on two to three migrations to new box store computers over the life span of one of my computers. The cost of migrating from a crashed computer to a new computer is often multiples times more expensive than the new computer itself. My computers are a real good bargain. But ........ THEY NEVER DIE So I may have to wait for every piece of software to stop working before they finally give in and upgrade. And then PRY the old one out of their hands kicking and screaming! Thank you for the tips! -T