[Samba] New Samba4 AD - "Logon failure: user account restriction"

John E.P. Hynes john at hytronix.com
Thu Apr 9 13:08:37 MDT 2015 

Ok,

I just set the flags to 0x11000 and the problem workstations can now be logged in to.

Thanks Rowland!

I wonder how they got messed up in the first place though...

> On Apr 9, 2015, at 2:42 PM, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> 
>> On 09/04/15 19:18, John E.P. Hynes wrote:
>>> On 04/09/2015 01:21 PM, Rowland Penny wrote:
>>>> On 09/04/15 18:03, John E.P. Hynes wrote:
>>>>> On 04/09/2015 11:31 AM, Rowland Penny wrote:
>>>>>> On 09/04/15 16:19, John E.P. Hynes wrote:
>>>>>> Thanks Rowland, I'll check that out.
>>>>>> 
>>>>>> The funny thing is though, this workstation is in a "test" environment
>>>>>> because I'm testing a profile migration/domain join tool.
>>>>>> 
>>>>>> Now, the *first* workstation I tested, I joined to the domain "by
>>>>>> hand".
>>>>>>    That one works for logons as expected.
>>>>>> 
>>>>>>> On 04/09/2015 11:07 AM, Rowland Penny wrote:
>>>>>>> On 09/04/15 15:52, John E.P. Hynes wrote:
>>>>>>> Hi List,
>>>>>>> 
>>>>>>> I just set up a new Samba4 AD controller, created users, etc.  When I
>>>>>>> join a test workstation from our old, currently active domain to the
>>>>>>> new AD server (separate network) the join succeeds, and the user can
>>>>>>> log in the first time to be prompted with the "change your password"
>>>>>>> prompt.  Immediately after changing the password, the logon fails with
>>>>>>> "Logon failure: user account restriction" and possible reasons.
>>>>>>> 
>>>>>>> I looked at the policy, by default it seems to be set to hours 24/7
>>>>>>> and computers to log in from "any".  Which is fine.
>>>>>>> 
>>>>>>> Does anyone have a pointer for me?
>>>>>>> 
>>>>>>> Thanks,
>>>>>>> 
>>>>>>> -John
>>>>>>> 
>>>>>>> You refer to checking a 'policy', would this be a windows GPO ? If so,
>>>>>>> then I think that you need to know that you cannot set password
>>>>>>> policies
>>>>>>> on a Samba 4 AD DC via a gpo, you need to use samba-tool, see
>>>>>>> 'samba-tool domain passwordsettings --help'
>>>>>>> 
>>>>>>> Rowland
>>>>> If your new users work, but the original users don't, it would seem that
>>>>> there must be a difference between them, what I do not know. It should
>>>>> be easy to find out, make sure that ldb-tools is installed and try
>>>>> searching for a user that works, then one that doesn't and compare them
>>>>> i.e.
>>>>> 
>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>>>> '(&(objectclass=user)(samaccountname=rowland))'
>>>>> 
>>>>> This displays my AD record when run on my Debian wheezy AD DC
>>>>> 
>>>>> Rowland
>>>> There are no old accounts, either user or computer.  The newly created
>>>> accounts can be logged into from "box1" but not "box2".
>>>> 
>>>> Comparing the machine accounts, they are identical.  Also, just for
>>>> giggles, I unjoined/rejoined the "not log-in-able" box manually, and it
>>>> *still* didn't work.  Same error.
>>>> 
>>>> Nothing in the samba logs at all.  One box works fine, now two others
>>>> don't.  Using the accounts with smbclient on the server also works fine.
>>>> 
>>>> I'm really at a loss here.  All clients are windows 7, Samba version is
>>>> the latest that comes with Ubuntu 14.04.
>>>> 
>>>> It looks like it must be on the windows side, since Samba allows logins
>>>> from one of the clients, just not the rest.  What debug options should I
>>>> try on Samba to watch the credential verification process just to be
>>>> sure though?
>>>> 
>>>> Thanks,
>>>> 
>>>> -John
>>> Add 'log level = passdb:5 auth:5 winbind:5' to smb.conf and then restart
>>> samba, this should give you plenty of output to look at, you can change
>>> the numbers to get more or less output i.e. anything between 0 to 10.
>>> See 'man smb.conf' for more info.
>>> 
>>> Rowland
>> OK, so after looking at a bunch of debug logs...
>> 
>> The machine account is locked, UseAccountControl flags are 0x4144 for
>> the machines that don't allow logon, and 0x1000 for those that do.
>> 
>> It doesn't seem you can manipulate these through Windows (errors out
>> that the server rejected the change) so I guess the next two questions are:
>> 
>> 1) How do I edit these with samba-tool?
>> 2) How the heck did they end up "wrong" like this right out of the box?
>> 
>> Any ideas appreciated.
>> 
>> -John
> 
> OK, my computer accounts all have this:
> 
> userAccountControl: 69632
> 
> Which is made up from:
> 
> 65536 DONT_EXPIRE_PASSWORD
> 04096 WORKSTATION_TRUST_ACCOUNT
> 
> So you could try using ldbmodify on the samba DC to change this.
> 
> Create an ldif file, /tmp/computer
> 
> dn: CN=computername,CN=Computers,CN=Users,DC=example,DC=com
> changetype: modify
> replace: UserAccountControl
> UserAccountControl: 69632
> 
> Don't forget to alter the top line to your settings.
> 
> Now use this ldif and ldbmodify to change the attribute:
> 
> ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/computer
> 
> Again if sam.ldb isn't in /var/lib/samba/private , then change the path, also note that this needs to be done as root.
> 
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list