samba-tool: Add support for getting the generated unicodePwd for a gMSA account

This pre-hashed value may be more practical to use than the random "UTF-16"
password.  In particular it is easy to compare with the DB values.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/python/samba/netcmd/user/readpasswords/common.py b/python/samba/netcmd/user/readpasswords/common.py
index d8523fbe804dc6be8ff79335443299e887007adb..acb412b90e0c912aba96dd4287817f8ba849a26d 100644 (file)
--- a/python/samba/netcmd/user/readpasswords/common.py
+++ b/python/samba/netcmd/user/readpasswords/common.py
@@ -99,6 +99,9 @@ virtual_attributes = {
     "virtualSambaGPG": {
         "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF,
     },
+    "unicodePwd": {
+        "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF,
+    },
 }
 
 
@@ -725,6 +728,13 @@ class GetPasswordCommand(Command):
                 v = kerberos_salt
                 if v is None:
                     continue
+            elif a == "unicodePwd" and "Primary:CLEARTEXT" in calculated and unicodePwd is None:
+                # We can't read unicodePwd directly, but we can regenerate
+                # it from msDS-ManagedPassword
+                tmp = credentials.Credentials()
+                tmp.set_anonymous()
+                tmp.set_utf16_password(calculated["Primary:CLEARTEXT"])
+                v = tmp.get_nt_hash()
             elif a.startswith("virtualWDigest"):
                 primary_wdigest = get_package("Primary:WDigest")
                 if primary_wdigest is None:

diff --git a/selftest/knownfail.d/samba_tool_user b/selftest/knownfail.d/samba_tool_user
new file mode 100644 (file)
index 0000000..a558a1f
--- /dev/null
+++ b/selftest/knownfail.d/samba_tool_user
@@ -0,0 +1 @@
+^samba.tests.samba_tool.user.samba.tests.samba_tool.user.UserCmdTestCase.test_setpassword\(ad_dc_no_ntlm