[Samba] New Samba4 AD - "Logon failure: user account restriction"

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 9 12:42:35 MDT 2015

On 09/04/15 19:18, John E.P. Hynes wrote:
> On 04/09/2015 01:21 PM, Rowland Penny wrote:
>> On 09/04/15 18:03, John E.P. Hynes wrote:
>>> On 04/09/2015 11:31 AM, Rowland Penny wrote:
>>>> On 09/04/15 16:19, John E.P. Hynes wrote:
>>>>> Thanks Rowland, I'll check that out.
>>>>> The funny thing is though, this workstation is in a "test" environment
>>>>> because I'm testing a profile migration/domain join tool.
>>>>> Now, the *first* workstation I tested, I joined to the domain "by
>>>>> hand".
>>>>>     That one works for logons as expected.
>>>>> On 04/09/2015 11:07 AM, Rowland Penny wrote:
>>>>>> On 09/04/15 15:52, John E.P. Hynes wrote:
>>>>>> Hi List,
>>>>>> I just set up a new Samba4 AD controller, created users, etc.  When I
>>>>>> join a test workstation from our old, currently active domain to the
>>>>>> new AD server (separate network) the join succeeds, and the user can
>>>>>> log in the first time to be prompted with the "change your password"
>>>>>> prompt.  Immediately after changing the password, the logon fails with
>>>>>> "Logon failure: user account restriction" and possible reasons.
>>>>>> I looked at the policy, by default it seems to be set to hours 24/7
>>>>>> and computers to log in from "any".  Which is fine.
>>>>>> Does anyone have a pointer for me?
>>>>>> Thanks,
>>>>>> -John
>>>>>> You refer to checking a 'policy', would this be a windows GPO ? If so,
>>>>>> then I think that you need to know that you cannot set password
>>>>>> policies
>>>>>> on a Samba 4 AD DC via a gpo, you need to use samba-tool, see
>>>>>> 'samba-tool domain passwordsettings --help'
>>>>>> Rowland
>>>> If your new users work, but the original users don't, it would seem that
>>>> there must be a difference between them, what I do not know. It should
>>>> be easy to find out, make sure that ldb-tools is installed and try
>>>> searching for a user that works, then one that doesn't and compare them
>>>> i.e.
>>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>>> '(&(objectclass=user)(samaccountname=rowland))'
>>>> This displays my AD record when run on my Debian wheezy AD DC
>>>> Rowland
>>> There are no old accounts, either user or computer.  The newly created
>>> accounts can be logged into from "box1" but not "box2".
>>> Comparing the machine accounts, they are identical.  Also, just for
>>> giggles, I unjoined/rejoined the "not log-in-able" box manually, and it
>>> *still* didn't work.  Same error.
>>> Nothing in the samba logs at all.  One box works fine, now two others
>>> don't.  Using the accounts with smbclient on the server also works fine.
>>> I'm really at a loss here.  All clients are windows 7, Samba version is
>>> the latest that comes with Ubuntu 14.04.
>>> It looks like it must be on the windows side, since Samba allows logins
>>> from one of the clients, just not the rest.  What debug options should I
>>> try on Samba to watch the credential verification process just to be
>>> sure though?
>>> Thanks,
>>> -John
>> Add 'log level = passdb:5 auth:5 winbind:5' to smb.conf and then restart
>> samba, this should give you plenty of output to look at, you can change
>> the numbers to get more or less output i.e. anything between 0 to 10.
>> See 'man smb.conf' for more info.
>> Rowland
> OK, so after looking at a bunch of debug logs...
> The machine account is locked, UseAccountControl flags are 0x4144 for
> the machines that don't allow logon, and 0x1000 for those that do.
> It doesn't seem you can manipulate these through Windows (errors out
> that the server rejected the change) so I guess the next two questions are:
> 1) How do I edit these with samba-tool?
> 2) How the heck did they end up "wrong" like this right out of the box?
> Any ideas appreciated.
> -John

OK, my computer accounts all have this:

userAccountControl: 69632

Which is made up from:


So you could try using ldbmodify on the samba DC to change this.

Create an ldif file, /tmp/computer

dn: CN=computername,CN=Computers,CN=Users,DC=example,DC=com
changetype: modify
replace: UserAccountControl
UserAccountControl: 69632

Don't forget to alter the top line to your settings.

Now use this ldif and ldbmodify to change the attribute:

ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/computer

Again if sam.ldb isn't in /var/lib/samba/private , then change the path, 
also note that this needs to be done as root.


More information about the samba mailing list