John E.P. Hynes
2015-Apr-09 15:19 UTC
[Samba] New Samba4 AD - "Logon failure: user account restriction"
Thanks Rowland, I'll check that out. The funny thing is though, this workstation is in a "test" environment because I'm testing a profile migration/domain join tool. Now, the *first* workstation I tested, I joined to the domain "by hand". That one works for logons as expected. On 04/09/2015 11:07 AM, Rowland Penny wrote:> On 09/04/15 15:52, John E.P. Hynes wrote: > Hi List, > > I just set up a new Samba4 AD controller, created users, etc. When I > join a test workstation from our old, currently active domain to the > new AD server (separate network) the join succeeds, and the user can > log in the first time to be prompted with the "change your password" > prompt. Immediately after changing the password, the logon fails with > "Logon failure: user account restriction" and possible reasons. > > I looked at the policy, by default it seems to be set to hours 24/7 > and computers to log in from "any". Which is fine. > > Does anyone have a pointer for me? > > Thanks, > > -John > > You refer to checking a 'policy', would this be a windows GPO ? If so, > then I think that you need to know that you cannot set password policies > on a Samba 4 AD DC via a gpo, you need to use samba-tool, see > 'samba-tool domain passwordsettings --help' > > Rowland
Rowland Penny
2015-Apr-09 15:31 UTC
[Samba] New Samba4 AD - "Logon failure: user account restriction"
On 09/04/15 16:19, John E.P. Hynes wrote:> Thanks Rowland, I'll check that out. > > The funny thing is though, this workstation is in a "test" environment > because I'm testing a profile migration/domain join tool. > > Now, the *first* workstation I tested, I joined to the domain "by hand". > That one works for logons as expected. > > On 04/09/2015 11:07 AM, Rowland Penny wrote: >> On 09/04/15 15:52, John E.P. Hynes wrote: >> Hi List, >> >> I just set up a new Samba4 AD controller, created users, etc. When I >> join a test workstation from our old, currently active domain to the >> new AD server (separate network) the join succeeds, and the user can >> log in the first time to be prompted with the "change your password" >> prompt. Immediately after changing the password, the logon fails with >> "Logon failure: user account restriction" and possible reasons. >> >> I looked at the policy, by default it seems to be set to hours 24/7 >> and computers to log in from "any". Which is fine. >> >> Does anyone have a pointer for me? >> >> Thanks, >> >> -John >> >> You refer to checking a 'policy', would this be a windows GPO ? If so, >> then I think that you need to know that you cannot set password policies >> on a Samba 4 AD DC via a gpo, you need to use samba-tool, see >> 'samba-tool domain passwordsettings --help' >> >> RowlandIf your new users work, but the original users don't, it would seem that there must be a difference between them, what I do not know. It should be easy to find out, make sure that ldb-tools is installed and try searching for a user that works, then one that doesn't and compare them i.e. ldbsearch -H /var/lib/samba/private/sam.ldb '(&(objectclass=user)(samaccountname=rowland))' This displays my AD record when run on my Debian wheezy AD DC Rowland
John E.P. Hynes
2015-Apr-09 17:03 UTC
[Samba] New Samba4 AD - "Logon failure: user account restriction"
On 04/09/2015 11:31 AM, Rowland Penny wrote:> On 09/04/15 16:19, John E.P. Hynes wrote: >> Thanks Rowland, I'll check that out. >> >> The funny thing is though, this workstation is in a "test" environment >> because I'm testing a profile migration/domain join tool. >> >> Now, the *first* workstation I tested, I joined to the domain "by hand". >> That one works for logons as expected. >> >> On 04/09/2015 11:07 AM, Rowland Penny wrote: >>> On 09/04/15 15:52, John E.P. Hynes wrote: >>> Hi List, >>> >>> I just set up a new Samba4 AD controller, created users, etc. When I >>> join a test workstation from our old, currently active domain to the >>> new AD server (separate network) the join succeeds, and the user can >>> log in the first time to be prompted with the "change your password" >>> prompt. Immediately after changing the password, the logon fails with >>> "Logon failure: user account restriction" and possible reasons. >>> >>> I looked at the policy, by default it seems to be set to hours 24/7 >>> and computers to log in from "any". Which is fine. >>> >>> Does anyone have a pointer for me? >>> >>> Thanks, >>> >>> -John >>> >>> You refer to checking a 'policy', would this be a windows GPO ? If so, >>> then I think that you need to know that you cannot set password policies >>> on a Samba 4 AD DC via a gpo, you need to use samba-tool, see >>> 'samba-tool domain passwordsettings --help' >>> >>> Rowland > > If your new users work, but the original users don't, it would seem that > there must be a difference between them, what I do not know. It should > be easy to find out, make sure that ldb-tools is installed and try > searching for a user that works, then one that doesn't and compare them > i.e. > > ldbsearch -H /var/lib/samba/private/sam.ldb > '(&(objectclass=user)(samaccountname=rowland))' > > This displays my AD record when run on my Debian wheezy AD DC > > Rowland >There are no old accounts, either user or computer. The newly created accounts can be logged into from "box1" but not "box2". Comparing the machine accounts, they are identical. Also, just for giggles, I unjoined/rejoined the "not log-in-able" box manually, and it *still* didn't work. Same error. Nothing in the samba logs at all. One box works fine, now two others don't. Using the accounts with smbclient on the server also works fine. I'm really at a loss here. All clients are windows 7, Samba version is the latest that comes with Ubuntu 14.04. It looks like it must be on the windows side, since Samba allows logins from one of the clients, just not the rest. What debug options should I try on Samba to watch the credential verification process just to be sure though? Thanks, -John
Reasonably Related Threads
- New Samba4 AD - "Logon failure: user account restriction"
- New Samba4 AD - "Logon failure: user account restriction"
- New Samba4 AD - "Logon failure: user account restriction"
- New Samba4 AD - "Logon failure: user account restriction"
- New Samba4 AD - "Logon failure: user account restriction"