John E.P. Hynes
2015-Apr-09 18:18 UTC
[Samba] New Samba4 AD - "Logon failure: user account restriction"
On 04/09/2015 01:21 PM, Rowland Penny wrote:> On 09/04/15 18:03, John E.P. Hynes wrote: >> >> On 04/09/2015 11:31 AM, Rowland Penny wrote: >>> On 09/04/15 16:19, John E.P. Hynes wrote: >>>> Thanks Rowland, I'll check that out. >>>> >>>> The funny thing is though, this workstation is in a "test" environment >>>> because I'm testing a profile migration/domain join tool. >>>> >>>> Now, the *first* workstation I tested, I joined to the domain "by >>>> hand". >>>> That one works for logons as expected. >>>> >>>> On 04/09/2015 11:07 AM, Rowland Penny wrote: >>>>> On 09/04/15 15:52, John E.P. Hynes wrote: >>>>> Hi List, >>>>> >>>>> I just set up a new Samba4 AD controller, created users, etc. When I >>>>> join a test workstation from our old, currently active domain to the >>>>> new AD server (separate network) the join succeeds, and the user can >>>>> log in the first time to be prompted with the "change your password" >>>>> prompt. Immediately after changing the password, the logon fails with >>>>> "Logon failure: user account restriction" and possible reasons. >>>>> >>>>> I looked at the policy, by default it seems to be set to hours 24/7 >>>>> and computers to log in from "any". Which is fine. >>>>> >>>>> Does anyone have a pointer for me? >>>>> >>>>> Thanks, >>>>> >>>>> -John >>>>> >>>>> You refer to checking a 'policy', would this be a windows GPO ? If so, >>>>> then I think that you need to know that you cannot set password >>>>> policies >>>>> on a Samba 4 AD DC via a gpo, you need to use samba-tool, see >>>>> 'samba-tool domain passwordsettings --help' >>>>> >>>>> Rowland >>> If your new users work, but the original users don't, it would seem that >>> there must be a difference between them, what I do not know. It should >>> be easy to find out, make sure that ldb-tools is installed and try >>> searching for a user that works, then one that doesn't and compare them >>> i.e. >>> >>> ldbsearch -H /var/lib/samba/private/sam.ldb >>> '(&(objectclass=user)(samaccountname=rowland))' >>> >>> This displays my AD record when run on my Debian wheezy AD DC >>> >>> Rowland >>> >> There are no old accounts, either user or computer. The newly created >> accounts can be logged into from "box1" but not "box2". >> >> Comparing the machine accounts, they are identical. Also, just for >> giggles, I unjoined/rejoined the "not log-in-able" box manually, and it >> *still* didn't work. Same error. >> >> Nothing in the samba logs at all. One box works fine, now two others >> don't. Using the accounts with smbclient on the server also works fine. >> >> I'm really at a loss here. All clients are windows 7, Samba version is >> the latest that comes with Ubuntu 14.04. >> >> It looks like it must be on the windows side, since Samba allows logins >> from one of the clients, just not the rest. What debug options should I >> try on Samba to watch the credential verification process just to be >> sure though? >> >> Thanks, >> >> -John > > Add 'log level = passdb:5 auth:5 winbind:5' to smb.conf and then restart > samba, this should give you plenty of output to look at, you can change > the numbers to get more or less output i.e. anything between 0 to 10. > See 'man smb.conf' for more info. > > Rowland >OK, so after looking at a bunch of debug logs... The machine account is locked, UseAccountControl flags are 0x4144 for the machines that don't allow logon, and 0x1000 for those that do. It doesn't seem you can manipulate these through Windows (errors out that the server rejected the change) so I guess the next two questions are: 1) How do I edit these with samba-tool? 2) How the heck did they end up "wrong" like this right out of the box? Any ideas appreciated. -John
Rowland Penny
2015-Apr-09 18:42 UTC
[Samba] New Samba4 AD - "Logon failure: user account restriction"
On 09/04/15 19:18, John E.P. Hynes wrote:> On 04/09/2015 01:21 PM, Rowland Penny wrote: >> On 09/04/15 18:03, John E.P. Hynes wrote: >>> On 04/09/2015 11:31 AM, Rowland Penny wrote: >>>> On 09/04/15 16:19, John E.P. Hynes wrote: >>>>> Thanks Rowland, I'll check that out. >>>>> >>>>> The funny thing is though, this workstation is in a "test" environment >>>>> because I'm testing a profile migration/domain join tool. >>>>> >>>>> Now, the *first* workstation I tested, I joined to the domain "by >>>>> hand". >>>>> That one works for logons as expected. >>>>> >>>>> On 04/09/2015 11:07 AM, Rowland Penny wrote: >>>>>> On 09/04/15 15:52, John E.P. Hynes wrote: >>>>>> Hi List, >>>>>> >>>>>> I just set up a new Samba4 AD controller, created users, etc. When I >>>>>> join a test workstation from our old, currently active domain to the >>>>>> new AD server (separate network) the join succeeds, and the user can >>>>>> log in the first time to be prompted with the "change your password" >>>>>> prompt. Immediately after changing the password, the logon fails with >>>>>> "Logon failure: user account restriction" and possible reasons. >>>>>> >>>>>> I looked at the policy, by default it seems to be set to hours 24/7 >>>>>> and computers to log in from "any". Which is fine. >>>>>> >>>>>> Does anyone have a pointer for me? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> -John >>>>>> >>>>>> You refer to checking a 'policy', would this be a windows GPO ? If so, >>>>>> then I think that you need to know that you cannot set password >>>>>> policies >>>>>> on a Samba 4 AD DC via a gpo, you need to use samba-tool, see >>>>>> 'samba-tool domain passwordsettings --help' >>>>>> >>>>>> Rowland >>>> If your new users work, but the original users don't, it would seem that >>>> there must be a difference between them, what I do not know. It should >>>> be easy to find out, make sure that ldb-tools is installed and try >>>> searching for a user that works, then one that doesn't and compare them >>>> i.e. >>>> >>>> ldbsearch -H /var/lib/samba/private/sam.ldb >>>> '(&(objectclass=user)(samaccountname=rowland))' >>>> >>>> This displays my AD record when run on my Debian wheezy AD DC >>>> >>>> Rowland >>>> >>> There are no old accounts, either user or computer. The newly created >>> accounts can be logged into from "box1" but not "box2". >>> >>> Comparing the machine accounts, they are identical. Also, just for >>> giggles, I unjoined/rejoined the "not log-in-able" box manually, and it >>> *still* didn't work. Same error. >>> >>> Nothing in the samba logs at all. One box works fine, now two others >>> don't. Using the accounts with smbclient on the server also works fine. >>> >>> I'm really at a loss here. All clients are windows 7, Samba version is >>> the latest that comes with Ubuntu 14.04. >>> >>> It looks like it must be on the windows side, since Samba allows logins >>> from one of the clients, just not the rest. What debug options should I >>> try on Samba to watch the credential verification process just to be >>> sure though? >>> >>> Thanks, >>> >>> -John >> Add 'log level = passdb:5 auth:5 winbind:5' to smb.conf and then restart >> samba, this should give you plenty of output to look at, you can change >> the numbers to get more or less output i.e. anything between 0 to 10. >> See 'man smb.conf' for more info. >> >> Rowland >> > OK, so after looking at a bunch of debug logs... > > The machine account is locked, UseAccountControl flags are 0x4144 for > the machines that don't allow logon, and 0x1000 for those that do. > > It doesn't seem you can manipulate these through Windows (errors out > that the server rejected the change) so I guess the next two questions are: > > 1) How do I edit these with samba-tool? > 2) How the heck did they end up "wrong" like this right out of the box? > > Any ideas appreciated. > > -JohnOK, my computer accounts all have this: userAccountControl: 69632 Which is made up from: 65536 DONT_EXPIRE_PASSWORD 04096 WORKSTATION_TRUST_ACCOUNT So you could try using ldbmodify on the samba DC to change this. Create an ldif file, /tmp/computer dn: CN=computername,CN=Computers,CN=Users,DC=example,DC=com changetype: modify replace: UserAccountControl UserAccountControl: 69632 Don't forget to alter the top line to your settings. Now use this ldif and ldbmodify to change the attribute: ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/computer Again if sam.ldb isn't in /var/lib/samba/private , then change the path, also note that this needs to be done as root. Rowland
John E.P. Hynes
2015-Apr-09 19:08 UTC
[Samba] New Samba4 AD - "Logon failure: user account restriction"
Ok, I just set the flags to 0x11000 and the problem workstations can now be logged in to. Thanks Rowland! I wonder how they got messed up in the first place though...> On Apr 9, 2015, at 2:42 PM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > >> On 09/04/15 19:18, John E.P. Hynes wrote: >>> On 04/09/2015 01:21 PM, Rowland Penny wrote: >>>> On 09/04/15 18:03, John E.P. Hynes wrote: >>>>> On 04/09/2015 11:31 AM, Rowland Penny wrote: >>>>>> On 09/04/15 16:19, John E.P. Hynes wrote: >>>>>> Thanks Rowland, I'll check that out. >>>>>> >>>>>> The funny thing is though, this workstation is in a "test" environment >>>>>> because I'm testing a profile migration/domain join tool. >>>>>> >>>>>> Now, the *first* workstation I tested, I joined to the domain "by >>>>>> hand". >>>>>> That one works for logons as expected. >>>>>> >>>>>>> On 04/09/2015 11:07 AM, Rowland Penny wrote: >>>>>>> On 09/04/15 15:52, John E.P. Hynes wrote: >>>>>>> Hi List, >>>>>>> >>>>>>> I just set up a new Samba4 AD controller, created users, etc. When I >>>>>>> join a test workstation from our old, currently active domain to the >>>>>>> new AD server (separate network) the join succeeds, and the user can >>>>>>> log in the first time to be prompted with the "change your password" >>>>>>> prompt. Immediately after changing the password, the logon fails with >>>>>>> "Logon failure: user account restriction" and possible reasons. >>>>>>> >>>>>>> I looked at the policy, by default it seems to be set to hours 24/7 >>>>>>> and computers to log in from "any". Which is fine. >>>>>>> >>>>>>> Does anyone have a pointer for me? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> -John >>>>>>> >>>>>>> You refer to checking a 'policy', would this be a windows GPO ? If so, >>>>>>> then I think that you need to know that you cannot set password >>>>>>> policies >>>>>>> on a Samba 4 AD DC via a gpo, you need to use samba-tool, see >>>>>>> 'samba-tool domain passwordsettings --help' >>>>>>> >>>>>>> Rowland >>>>> If your new users work, but the original users don't, it would seem that >>>>> there must be a difference between them, what I do not know. It should >>>>> be easy to find out, make sure that ldb-tools is installed and try >>>>> searching for a user that works, then one that doesn't and compare them >>>>> i.e. >>>>> >>>>> ldbsearch -H /var/lib/samba/private/sam.ldb >>>>> '(&(objectclass=user)(samaccountname=rowland))' >>>>> >>>>> This displays my AD record when run on my Debian wheezy AD DC >>>>> >>>>> Rowland >>>> There are no old accounts, either user or computer. The newly created >>>> accounts can be logged into from "box1" but not "box2". >>>> >>>> Comparing the machine accounts, they are identical. Also, just for >>>> giggles, I unjoined/rejoined the "not log-in-able" box manually, and it >>>> *still* didn't work. Same error. >>>> >>>> Nothing in the samba logs at all. One box works fine, now two others >>>> don't. Using the accounts with smbclient on the server also works fine. >>>> >>>> I'm really at a loss here. All clients are windows 7, Samba version is >>>> the latest that comes with Ubuntu 14.04. >>>> >>>> It looks like it must be on the windows side, since Samba allows logins >>>> from one of the clients, just not the rest. What debug options should I >>>> try on Samba to watch the credential verification process just to be >>>> sure though? >>>> >>>> Thanks, >>>> >>>> -John >>> Add 'log level = passdb:5 auth:5 winbind:5' to smb.conf and then restart >>> samba, this should give you plenty of output to look at, you can change >>> the numbers to get more or less output i.e. anything between 0 to 10. >>> See 'man smb.conf' for more info. >>> >>> Rowland >> OK, so after looking at a bunch of debug logs... >> >> The machine account is locked, UseAccountControl flags are 0x4144 for >> the machines that don't allow logon, and 0x1000 for those that do. >> >> It doesn't seem you can manipulate these through Windows (errors out >> that the server rejected the change) so I guess the next two questions are: >> >> 1) How do I edit these with samba-tool? >> 2) How the heck did they end up "wrong" like this right out of the box? >> >> Any ideas appreciated. >> >> -John > > OK, my computer accounts all have this: > > userAccountControl: 69632 > > Which is made up from: > > 65536 DONT_EXPIRE_PASSWORD > 04096 WORKSTATION_TRUST_ACCOUNT > > So you could try using ldbmodify on the samba DC to change this. > > Create an ldif file, /tmp/computer > > dn: CN=computername,CN=Computers,CN=Users,DC=example,DC=com > changetype: modify > replace: UserAccountControl > UserAccountControl: 69632 > > Don't forget to alter the top line to your settings. > > Now use this ldif and ldbmodify to change the attribute: > > ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/computer > > Again if sam.ldb isn't in /var/lib/samba/private , then change the path, also note that this needs to be done as root. > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Seemingly Similar Threads
- New Samba4 AD - "Logon failure: user account restriction"
- New Samba4 AD - "Logon failure: user account restriction"
- New Samba4 AD - "Logon failure: user account restriction"
- Samba + Windows 2008 + Solaris + Native nss_ldap/gssapi - Possible?
- New Samba4 AD - "Logon failure: user account restriction"