samba - Oct 2023 - Auth Failure for Restricted User Account

TL;DR: Setting a "log on to:" restriction on an AD user object breaks
access
to file server resources for that user, such as redirected folders. Path to 
resources uses an alias for respective file servers at two different 
locations, which results in mixed Kerberos/NTLMv2 authentication. This works 
for unrestricted user access, but fails with
'NT_STATUS_INVALID_WORKSTATION'
once a user's logon is restricted to a specific workstation. Is that 
expected behavior and/or are there any .conf settings to mitigate?

TIA

Mike


Long version:

Two (replicated) file servers for the same domain with an DNS alias pointing 
to the respective host address on different subnets. This gives me a mixed 
Kerberos/NTLMv2 bag for authentication to file server resources, such as 
redirected folders and home drives. Not pretty, but we have a couple of 
users moving back & forth between two office locations. This is how it plays
out on the DC (auth_audit:3) when a user logs on to his device and pulls his 
redirected folders off of one of those servers (notation changed to protect 
the innocent):

  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[thisuser at MYDOMAIN] at [Mon, 09 Oct 2023 00:12:32.389569 EDT] with 
[aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote 
host [ipv4:192.168.3.199:61533] became [MYDOMAIN]\[thisuser] 
[S-1-5-21-3262729435-2213235217-2489999418-1157]. local host [NULL]

  Auth: [SamLogon,network] user [MYDOMAIN]\[thisuser] at [Mon, 09 Oct 2023 
00:12:32.655551 EDT] with [NTLMv2] status [NT_STATUS_OK] workstation 
[\\\\TESTWORKSTATION] remote host [ipv4:192.168.3.3:51770] became 
[MYDOMAIN]\[thisuser] [S-1-5-21-3262729435-2213235217-2489999418-1157]. 
local host [ipv4:192.168.3.2:49152]  NETLOGON computer [FILESSERVER2] trust 
account [FILESERVER2$]

This fails with 'NT_STATUS_INVALID_WORKSTATION' once I introduce logon 
restrictions to the account:

  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user 
[(null)]\[thisuser at MYDOMAIN.TLD.COM] at [Mon, 09 Oct 2023 00:00:08.300583 
EDT] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation 
[(null)] remote host [ipv4:192.168.3.199:61474] became [MYDOMAIN]\[thisuser] 
[S-1-5-21-3262729435-2213235217-2489999418-3141]. local host [NULL]

  Auth: [SamLogon,network] user [MYDOMAIN]\[thisuser] at [Mon, 09 Oct 2023 
00:00:08.314497 EDT] with [NTLMv2] status [NT_STATUS_INVALID_WORKSTATION] 
workstation [\\\\TESTWORKSTATION] remote host [ipv4:192.168.3.3:51770] 
mapped to [MYDOMAIN]\[thisuser]. local host [ipv4:192.168.3.2:49152] 
NETLOGON computer [FILESERVER2] trust account [FILESERVER2$]

File server output:

  Auth: [SMB2,(null)] user [MYDOMAIN]\[thisuser] at [Mon, 09 Oct 2023 
16:03:56.718823 EDT] with [NTLMv2] status [NT_STATUS_INVALID_WORKSTATION] 
workstation [TESTWORKSTATION] remote host [ipv4:192.168.3.199:50579] mapped 
to [MYDOMAIN]\[thisuser]. local host [ipv4:192.168.3.3:445]

testparm output on DC (4.17.10-Debian):

[global]
        bind interfaces only = Yes
        disable netbios = Yes
        disable spoolss = Yes
        interfaces = lo eno1
        load printers = No
        ntlm auth = mschapv2-and-ntlmv2-only
        passdb backend = samba_dsdb
        printcap name = /dev/null
        realm = MYDOMAIN.TLD.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
        smb ports = 445
        workgroup = KOP
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap config * : backend = tdb
        map archive = No
        printing = bsd
        vfs objects = dfs_samba4 acl_xattr

testparm output on file server (4.17.10-Debian):

[global]
        bind interfaces only = Yes
        dedicated keytab file = /etc/krb5.keytab
        disable netbios = Yes
        disable spoolss = Yes
        dns proxy = No
        domain master = No
        hostname lookups = Yes
        interfaces = lo eno1
        kerberos method = secrets and keytab
        load printers = No
        local master = No
        log file = /var/log/samba/system.log
        min domain uid = 0
        preferred master = No
        printcap name = /dev/null
        realm = MYDOMAIN.TLD.COM
        security = ADS
        server role = member server
        server signing = required
        smb ports = 445
        template homedir = /home/%U
        template shell = /bin/bash
        username map = /etc/samba/usermap
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        workgroup = KOP
        idmap config kop : range = 10000-999999
        idmap config kop : backend = rid
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        hosts allow = 192.168.
        map acl inherit = Yes
        printing = bsd
        vfs objects = acl_xattr