[Samba] New Samba4 AD - "Logon failure: user account restriction"

John E.P. Hynes john at hytronix.com
Thu Apr 9 11:03:35 MDT 2015

On 04/09/2015 11:31 AM, Rowland Penny wrote:
> On 09/04/15 16:19, John E.P. Hynes wrote:
>> Thanks Rowland, I'll check that out.
>> The funny thing is though, this workstation is in a "test" environment
>> because I'm testing a profile migration/domain join tool.
>> Now, the *first* workstation I tested, I joined to the domain "by hand".
>>   That one works for logons as expected.
>> On 04/09/2015 11:07 AM, Rowland Penny wrote:
>>> On 09/04/15 15:52, John E.P. Hynes wrote:
>>> Hi List,
>>> I just set up a new Samba4 AD controller, created users, etc.  When I
>>> join a test workstation from our old, currently active domain to the
>>> new AD server (separate network) the join succeeds, and the user can
>>> log in the first time to be prompted with the "change your password"
>>> prompt.  Immediately after changing the password, the logon fails with
>>> "Logon failure: user account restriction" and possible reasons.
>>> I looked at the policy, by default it seems to be set to hours 24/7
>>> and computers to log in from "any".  Which is fine.
>>> Does anyone have a pointer for me?
>>> Thanks,
>>> -John
>>> You refer to checking a 'policy', would this be a windows GPO ? If so,
>>> then I think that you need to know that you cannot set password policies
>>> on a Samba 4 AD DC via a gpo, you need to use samba-tool, see
>>> 'samba-tool domain passwordsettings --help'
>>> Rowland
> If your new users work, but the original users don't, it would seem that
> there must be a difference between them, what I do not know. It should
> be easy to find out, make sure that ldb-tools is installed and try
> searching for a user that works, then one that doesn't and compare them
> i.e.
> ldbsearch -H /var/lib/samba/private/sam.ldb
> '(&(objectclass=user)(samaccountname=rowland))'
> This displays my AD record when run on my Debian wheezy AD DC
> Rowland

There are no old accounts, either user or computer.  The newly created
accounts can be logged into from "box1" but not "box2".

Comparing the machine accounts, they are identical.  Also, just for
giggles, I unjoined/rejoined the "not log-in-able" box manually, and it
*still* didn't work.  Same error.

Nothing in the samba logs at all.  One box works fine, now two others
don't.  Using the accounts with smbclient on the server also works fine.

I'm really at a loss here.  All clients are windows 7, Samba version is
the latest that comes with Ubuntu 14.04.

It looks like it must be on the windows side, since Samba allows logins
from one of the clients, just not the rest.  What debug options should I
try on Samba to watch the credential verification process just to be
sure though?



More information about the samba mailing list