[Samba] New Samba4 AD - "Logon failure: user account restriction"
Rowland Penny
rowlandpenny at googlemail.com
Thu Apr 9 09:07:34 MDT 2015
On 09/04/15 15:52, John E.P. Hynes wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi List,
>
> I just set up a new Samba4 AD controller, created users, etc. When I
> join a test workstation from our old, currently active domain to the
> new AD server (separate network) the join succeeds, and the user can
> log in the first time to be prompted with the "change your password"
> prompt. Immediately after changing the password, the logon fails with
> "Logon failure: user account restriction" and possible reasons.
>
> I looked at the policy, by default it seems to be set to hours 24/7
> and computers to log in from "any". Which is fine.
>
> Does anyone have a pointer for me?
>
> Thanks,
>
> - -John
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJVJpJDAAoJEO3fit/H7ujXuC4H/RC/H3MNLDuMYucG13NEq9qg
> FrNRQ2sSvmZQn3+pZjIYcqrbjTIzGwh2uZsAgwj+WCrNmDyfbiI9VD/Ti0RaOW/M
> sr8kzevLvXJkyxj8VM0f8QjoWmKee6crSzmfgtK1a8+P/AhGBTWl65XCU20cSau5
> /DU9V7OYcj+rrneD8U8yNw+FieKTaFJlXTw3btzTWHhwnj3SXxKP/RtgDvSNi6wC
> FUrijEeOLWYUWWVJOJ/gT89HamYY+vDdy/GP8BUsyW5c3QMB38aQCX9Op7FZ1DIC
> /7tcIklSqDK844zlZtMlEclGPIGTIeaQhAqEi0pGf6vKVveNMqCU9cB0jHPF8c4=
> =AKhe
> -----END PGP SIGNATURE-----
You refer to checking a 'policy', would this be a windows GPO ? If so,
then I think that you need to know that you cannot set password policies
on a Samba 4 AD DC via a gpo, you need to use samba-tool, see
'samba-tool domain passwordsettings --help'
Rowland
More information about the samba
mailing list