[Samba] New Samba4 AD - "Logon failure: user account restriction"

John E.P. Hynes john at hytronix.com
Thu Apr 9 09:19:16 MDT 2015

Thanks Rowland, I'll check that out.

The funny thing is though, this workstation is in a "test" environment
because I'm testing a profile migration/domain join tool.

Now, the *first* workstation I tested, I joined to the domain "by hand".
 That one works for logons as expected.

On 04/09/2015 11:07 AM, Rowland Penny wrote:
> On 09/04/15 15:52, John E.P. Hynes wrote:
> Hi List,
> I just set up a new Samba4 AD controller, created users, etc.  When I
> join a test workstation from our old, currently active domain to the
> new AD server (separate network) the join succeeds, and the user can
> log in the first time to be prompted with the "change your password"
> prompt.  Immediately after changing the password, the logon fails with
> "Logon failure: user account restriction" and possible reasons.
> I looked at the policy, by default it seems to be set to hours 24/7
> and computers to log in from "any".  Which is fine.
> Does anyone have a pointer for me?
> Thanks,
> -John
> You refer to checking a 'policy', would this be a windows GPO ? If so,
> then I think that you need to know that you cannot set password policies
> on a Samba 4 AD DC via a gpo, you need to use samba-tool, see
> 'samba-tool domain passwordsettings --help'
> Rowland

More information about the samba mailing list