[Samba] New Samba4 AD - "Logon failure: user account restriction"
Rowland Penny
rowlandpenny at googlemail.com
Thu Apr 9 11:21:28 MDT 2015
On 09/04/15 18:03, John E.P. Hynes wrote:
>
> On 04/09/2015 11:31 AM, Rowland Penny wrote:
>> On 09/04/15 16:19, John E.P. Hynes wrote:
>>> Thanks Rowland, I'll check that out.
>>>
>>> The funny thing is though, this workstation is in a "test" environment
>>> because I'm testing a profile migration/domain join tool.
>>>
>>> Now, the *first* workstation I tested, I joined to the domain "by hand".
>>> That one works for logons as expected.
>>>
>>> On 04/09/2015 11:07 AM, Rowland Penny wrote:
>>>> On 09/04/15 15:52, John E.P. Hynes wrote:
>>>> Hi List,
>>>>
>>>> I just set up a new Samba4 AD controller, created users, etc. When I
>>>> join a test workstation from our old, currently active domain to the
>>>> new AD server (separate network) the join succeeds, and the user can
>>>> log in the first time to be prompted with the "change your password"
>>>> prompt. Immediately after changing the password, the logon fails with
>>>> "Logon failure: user account restriction" and possible reasons.
>>>>
>>>> I looked at the policy, by default it seems to be set to hours 24/7
>>>> and computers to log in from "any". Which is fine.
>>>>
>>>> Does anyone have a pointer for me?
>>>>
>>>> Thanks,
>>>>
>>>> -John
>>>>
>>>> You refer to checking a 'policy', would this be a windows GPO ? If so,
>>>> then I think that you need to know that you cannot set password policies
>>>> on a Samba 4 AD DC via a gpo, you need to use samba-tool, see
>>>> 'samba-tool domain passwordsettings --help'
>>>>
>>>> Rowland
>> If your new users work, but the original users don't, it would seem that
>> there must be a difference between them, what I do not know. It should
>> be easy to find out, make sure that ldb-tools is installed and try
>> searching for a user that works, then one that doesn't and compare them
>> i.e.
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb
>> '(&(objectclass=user)(samaccountname=rowland))'
>>
>> This displays my AD record when run on my Debian wheezy AD DC
>>
>> Rowland
>>
> There are no old accounts, either user or computer. The newly created
> accounts can be logged into from "box1" but not "box2".
>
> Comparing the machine accounts, they are identical. Also, just for
> giggles, I unjoined/rejoined the "not log-in-able" box manually, and it
> *still* didn't work. Same error.
>
> Nothing in the samba logs at all. One box works fine, now two others
> don't. Using the accounts with smbclient on the server also works fine.
>
> I'm really at a loss here. All clients are windows 7, Samba version is
> the latest that comes with Ubuntu 14.04.
>
> It looks like it must be on the windows side, since Samba allows logins
> from one of the clients, just not the rest. What debug options should I
> try on Samba to watch the credential verification process just to be
> sure though?
>
> Thanks,
>
> -John
Add 'log level = passdb:5 auth:5 winbind:5' to smb.conf and then restart
samba, this should give you plenty of output to look at, you can change
the numbers to get more or less output i.e. anything between 0 to 10.
See 'man smb.conf' for more info.
Rowland
More information about the samba
mailing list