[Samba] New Samba4 AD - "Logon failure: user account restriction"

Thu Apr 9 12:18:10 MDT 2015

On 04/09/2015 01:21 PM, Rowland Penny wrote:
> On 09/04/15 18:03, John E.P. Hynes wrote:
>>
>> On 04/09/2015 11:31 AM, Rowland Penny wrote:
>>> On 09/04/15 16:19, John E.P. Hynes wrote:
>>>> Thanks Rowland, I'll check that out.
>>>>
>>>> The funny thing is though, this workstation is in a "test" environment
>>>> because I'm testing a profile migration/domain join tool.
>>>>
>>>> Now, the *first* workstation I tested, I joined to the domain "by
>>>> hand".
>>>>    That one works for logons as expected.
>>>>
>>>> On 04/09/2015 11:07 AM, Rowland Penny wrote:
>>>>> On 09/04/15 15:52, John E.P. Hynes wrote:
>>>>> Hi List,
>>>>>
>>>>> I just set up a new Samba4 AD controller, created users, etc.  When I
>>>>> join a test workstation from our old, currently active domain to the
>>>>> new AD server (separate network) the join succeeds, and the user can
>>>>> log in the first time to be prompted with the "change your password"
>>>>> prompt.  Immediately after changing the password, the logon fails with
>>>>> "Logon failure: user account restriction" and possible reasons.
>>>>>
>>>>> I looked at the policy, by default it seems to be set to hours 24/7
>>>>> and computers to log in from "any".  Which is fine.
>>>>>
>>>>> Does anyone have a pointer for me?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -John
>>>>>
>>>>> You refer to checking a 'policy', would this be a windows GPO ? If so,
>>>>> then I think that you need to know that you cannot set password
>>>>> policies
>>>>> on a Samba 4 AD DC via a gpo, you need to use samba-tool, see
>>>>> 'samba-tool domain passwordsettings --help'
>>>>>
>>>>> Rowland
>>> If your new users work, but the original users don't, it would seem that
>>> there must be a difference between them, what I do not know. It should
>>> be easy to find out, make sure that ldb-tools is installed and try
>>> searching for a user that works, then one that doesn't and compare them
>>> i.e.
>>>
>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>> '(&(objectclass=user)(samaccountname=rowland))'
>>>
>>> This displays my AD record when run on my Debian wheezy AD DC
>>>
>>> Rowland
>>>
>> There are no old accounts, either user or computer.  The newly created
>> accounts can be logged into from "box1" but not "box2".
>>
>> Comparing the machine accounts, they are identical.  Also, just for
>> giggles, I unjoined/rejoined the "not log-in-able" box manually, and it
>> *still* didn't work.  Same error.
>>
>> Nothing in the samba logs at all.  One box works fine, now two others
>> don't.  Using the accounts with smbclient on the server also works fine.
>>
>> I'm really at a loss here.  All clients are windows 7, Samba version is
>> the latest that comes with Ubuntu 14.04.
>>
>> It looks like it must be on the windows side, since Samba allows logins
>> from one of the clients, just not the rest.  What debug options should I
>> try on Samba to watch the credential verification process just to be
>> sure though?
>>
>> Thanks,
>>
>> -John
> 
> Add 'log level = passdb:5 auth:5 winbind:5' to smb.conf and then restart
> samba, this should give you plenty of output to look at, you can change
> the numbers to get more or less output i.e. anything between 0 to 10.
> See 'man smb.conf' for more info.
> 
> Rowland
> 

OK, so after looking at a bunch of debug logs...

The machine account is locked, UseAccountControl flags are 0x4144 for
the machines that don't allow logon, and 0x1000 for those that do.

It doesn't seem you can manipulate these through Windows (errors out
that the server rejected the change) so I guess the next two questions are:

1) How do I edit these with samba-tool?
2) How the heck did they end up "wrong" like this right out of the box?

Any ideas appreciated.

-John