[Samba] New Samba4 AD - "Logon failure: user account restriction"
Rowland Penny
rowlandpenny at googlemail.com
Thu Apr 9 09:31:43 MDT 2015
On 09/04/15 16:19, John E.P. Hynes wrote:
> Thanks Rowland, I'll check that out.
>
> The funny thing is though, this workstation is in a "test" environment
> because I'm testing a profile migration/domain join tool.
>
> Now, the *first* workstation I tested, I joined to the domain "by hand".
> That one works for logons as expected.
>
> On 04/09/2015 11:07 AM, Rowland Penny wrote:
>> On 09/04/15 15:52, John E.P. Hynes wrote:
>> Hi List,
>>
>> I just set up a new Samba4 AD controller, created users, etc. When I
>> join a test workstation from our old, currently active domain to the
>> new AD server (separate network) the join succeeds, and the user can
>> log in the first time to be prompted with the "change your password"
>> prompt. Immediately after changing the password, the logon fails with
>> "Logon failure: user account restriction" and possible reasons.
>>
>> I looked at the policy, by default it seems to be set to hours 24/7
>> and computers to log in from "any". Which is fine.
>>
>> Does anyone have a pointer for me?
>>
>> Thanks,
>>
>> -John
>>
>> You refer to checking a 'policy', would this be a windows GPO ? If so,
>> then I think that you need to know that you cannot set password policies
>> on a Samba 4 AD DC via a gpo, you need to use samba-tool, see
>> 'samba-tool domain passwordsettings --help'
>>
>> Rowland
If your new users work, but the original users don't, it would seem that
there must be a difference between them, what I do not know. It should
be easy to find out, make sure that ldb-tools is installed and try
searching for a user that works, then one that doesn't and compare them i.e.
ldbsearch -H /var/lib/samba/private/sam.ldb
'(&(objectclass=user)(samaccountname=rowland))'
This displays my AD record when run on my Debian wheezy AD DC
Rowland
More information about the samba
mailing list