europa JP
2023-Dec-14 04:54 UTC
[Samba] "NetJoinLegacyAccountReuse" registry will be disabled in the near future.
Dear Samba Team Member, Joining a PC to a domain controller configured with Samba is a task we all experience frequently. However, due to the workings of Windows Update released on October 11, 2022, it has not worked well at times. I encountered this when I joined a PC to an NT4 domain controller (samba-4.10.18). KB5020276-Netjoin: Domain join hardening changes:. https://support.microsoft.com/en-au/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8 NOTE: During that period we should have seen the following error message. "An account with the same name exists in Active Directory. Re-using the account was blocked by security policy." We are currently able to work around this by setting up a "NetJoinLegacyAccountReuse" registry before joining the domain. However, the aforementioned URL was revised on August 10, stating that this registry will be disabled in the Windows Update scheduled for release on February 13, 2024. I would like to know if there is a solution to this future change by modifying the Samba configuration. Best Regard, europa
Andrew Bartlett
2023-Dec-14 07:01 UTC
[Samba] "NetJoinLegacyAccountReuse" registry will be disabled in the near future.
On Thu, 2023-12-14 at 13:54 +0900, europa JP via samba wrote:> Dear Samba Team Member, > > Joining a PC to a domain controller configured with Samba is a task > we > all experience frequently. > However, due to the workings of Windows Update released on October > 11, > 2022, it has not worked well at times. I encountered this when I > joined a PC to an NT4 domain controller (samba-4.10.18).I am not at all surprised that Samba in NT4 DC mode fails, MS just would not have tested this. Please also run a supported version (but that isn't the issue here).> KB5020276-Netjoin: Domain join hardening changes:. > https://support.microsoft.com/en-au/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8 > > > NOTE: During that period we should have seen the following error > message. > "An account with the same name exists in Active Directory. Re-using > the account was blocked by security policy." > > We are currently able to work around this by setting up a > "NetJoinLegacyAccountReuse" registry before joining the domain. > However, the aforementioned URL was revised on August 10, stating > that > this registry will be disabled in the Windows Update scheduled for > release on February 13, 2024. > > I would like to know if there is a solution to this future change by > modifying the Samba configuration.So I was behind this :-). This is a real security problem, if you re- join with an existing account, the attacker (on a non-Samba DC more likely, because on Samba we were never foolish enough to implement MachineAccountQuota), then whoever owned that existing account owns your account, and can reset the password etc. Creating a new account is safer. If you really are running Samba in NT4 DC mode, then I suggest you delete the server-side account before each join, to work around the check. If that does not work, then you may need to raise it with MS, to see if there is some action possible, but please remember that our NT4 DC code is not actively enhanced any more, so you would need to arranged any server-side changes they suggest. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions