[Samba] "NetJoinLegacyAccountReuse" registry will be disabled in the near future.

Andrew Bartlett abartlet at samba.org
Thu Dec 14 07:01:16 UTC 2023 

On Thu, 2023-12-14 at 13:54 +0900, europa JP via samba wrote:
> Dear Samba Team Member,
> 
> Joining a PC to a domain controller configured with Samba is a task
> we
> all experience frequently.
> However, due to the workings of Windows Update released on October
> 11,
> 2022, it has not worked well at times. I encountered this when I
> joined a PC to an NT4 domain controller (samba-4.10.18).

I am not at all surprised that Samba in NT4 DC mode fails, MS just
would not have tested this.  Please also run a supported version (but
that isn't the issue here).

> KB5020276-Netjoin: Domain join hardening changes:.
> https://support.microsoft.com/en-au/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8
> 
> 
> NOTE: During that period we should have seen the following error
> message.
> "An account with the same name exists in Active Directory. Re-using
> the account was blocked by security policy."
> 
> We are currently able to work around this by setting up a
> "NetJoinLegacyAccountReuse" registry before joining the domain.
> However, the aforementioned URL was revised on August 10, stating
> that
> this registry will be disabled in the Windows Update scheduled for
> release on February 13, 2024.
> 
> I would like to know if there is a solution to this future change by
> modifying the Samba configuration.

So I was behind this :-). This is a real security problem, if you re-
join with an existing account, the attacker (on a non-Samba DC more
likely, because on Samba we were never foolish enough to implement
MachineAccountQuota), then whoever owned that existing account owns
your account, and can reset the password etc.

Creating a new account is safer.  If you really are running Samba in
NT4 DC mode, then I suggest you delete the server-side account before
each join, to work around the check. 

If that does not work, then you may need to raise it with MS, to see if
there is some action possible, but please remember that our NT4 DC code
is not actively enhanced any more, so you would need to arranged any
server-side changes they suggest. 

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list