John E.P. Hynes
2015-Apr-09 14:52 UTC
[Samba] New Samba4 AD - "Logon failure: user account restriction"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi List, I just set up a new Samba4 AD controller, created users, etc. When I join a test workstation from our old, currently active domain to the new AD server (separate network) the join succeeds, and the user can log in the first time to be prompted with the "change your password" prompt. Immediately after changing the password, the logon fails with "Logon failure: user account restriction" and possible reasons. I looked at the policy, by default it seems to be set to hours 24/7 and computers to log in from "any". Which is fine. Does anyone have a pointer for me? Thanks, - -John -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVJpJDAAoJEO3fit/H7ujXuC4H/RC/H3MNLDuMYucG13NEq9qg FrNRQ2sSvmZQn3+pZjIYcqrbjTIzGwh2uZsAgwj+WCrNmDyfbiI9VD/Ti0RaOW/M sr8kzevLvXJkyxj8VM0f8QjoWmKee6crSzmfgtK1a8+P/AhGBTWl65XCU20cSau5 /DU9V7OYcj+rrneD8U8yNw+FieKTaFJlXTw3btzTWHhwnj3SXxKP/RtgDvSNi6wC FUrijEeOLWYUWWVJOJ/gT89HamYY+vDdy/GP8BUsyW5c3QMB38aQCX9Op7FZ1DIC /7tcIklSqDK844zlZtMlEclGPIGTIeaQhAqEi0pGf6vKVveNMqCU9cB0jHPF8c4=AKhe -----END PGP SIGNATURE-----
Rowland Penny
2015-Apr-09 15:07 UTC
[Samba] New Samba4 AD - "Logon failure: user account restriction"
On 09/04/15 15:52, John E.P. Hynes wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi List, > > I just set up a new Samba4 AD controller, created users, etc. When I > join a test workstation from our old, currently active domain to the > new AD server (separate network) the join succeeds, and the user can > log in the first time to be prompted with the "change your password" > prompt. Immediately after changing the password, the logon fails with > "Logon failure: user account restriction" and possible reasons. > > I looked at the policy, by default it seems to be set to hours 24/7 > and computers to log in from "any". Which is fine. > > Does anyone have a pointer for me? > > Thanks, > > - -John > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJVJpJDAAoJEO3fit/H7ujXuC4H/RC/H3MNLDuMYucG13NEq9qg > FrNRQ2sSvmZQn3+pZjIYcqrbjTIzGwh2uZsAgwj+WCrNmDyfbiI9VD/Ti0RaOW/M > sr8kzevLvXJkyxj8VM0f8QjoWmKee6crSzmfgtK1a8+P/AhGBTWl65XCU20cSau5 > /DU9V7OYcj+rrneD8U8yNw+FieKTaFJlXTw3btzTWHhwnj3SXxKP/RtgDvSNi6wC > FUrijEeOLWYUWWVJOJ/gT89HamYY+vDdy/GP8BUsyW5c3QMB38aQCX9Op7FZ1DIC > /7tcIklSqDK844zlZtMlEclGPIGTIeaQhAqEi0pGf6vKVveNMqCU9cB0jHPF8c4> =AKhe > -----END PGP SIGNATURE-----You refer to checking a 'policy', would this be a windows GPO ? If so, then I think that you need to know that you cannot set password policies on a Samba 4 AD DC via a gpo, you need to use samba-tool, see 'samba-tool domain passwordsettings --help' Rowland
John E.P. Hynes
2015-Apr-09 15:19 UTC
[Samba] New Samba4 AD - "Logon failure: user account restriction"
Thanks Rowland, I'll check that out. The funny thing is though, this workstation is in a "test" environment because I'm testing a profile migration/domain join tool. Now, the *first* workstation I tested, I joined to the domain "by hand". That one works for logons as expected. On 04/09/2015 11:07 AM, Rowland Penny wrote:> On 09/04/15 15:52, John E.P. Hynes wrote: > Hi List, > > I just set up a new Samba4 AD controller, created users, etc. When I > join a test workstation from our old, currently active domain to the > new AD server (separate network) the join succeeds, and the user can > log in the first time to be prompted with the "change your password" > prompt. Immediately after changing the password, the logon fails with > "Logon failure: user account restriction" and possible reasons. > > I looked at the policy, by default it seems to be set to hours 24/7 > and computers to log in from "any". Which is fine. > > Does anyone have a pointer for me? > > Thanks, > > -John > > You refer to checking a 'policy', would this be a windows GPO ? If so, > then I think that you need to know that you cannot set password policies > on a Samba 4 AD DC via a gpo, you need to use samba-tool, see > 'samba-tool domain passwordsettings --help' > > Rowland