From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 12 Dec 2023 03:38:13 +0000 (+1300)
Subject: samba-tool user getpassword: Use UTF16_MUNGED charcnv to map "UTF16" to UTF8
X-Git-Tag: talloc-2.4.2~249
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=23326105cd612d8c1fea1a4d7f1f3c5117d5a674;p=thirdparty%2Fsamba.git

samba-tool user getpassword: Use UTF16_MUNGED charcnv to map "UTF16" to UTF8

This copes with random invalid UTF-16 as seen with gMSA accounts.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/python/samba/netcmd/user/readpasswords/common.py b/python/samba/netcmd/user/readpasswords/common.py
index 8c20de556ea..e294cafbdf6 100644
--- a/python/samba/netcmd/user/readpasswords/common.py
+++ b/python/samba/netcmd/user/readpasswords/common.py
@@ -454,14 +454,14 @@ class GetPasswordCommand(Command):
                             username or account_name, e))
 
         def get_utf8(a, b, username):
-            try:
-                u = str(get_bytes(b), 'utf-16-le')
-            except UnicodeDecodeError as e:
-                self.outf.write("WARNING: '%s': CLEARTEXT is invalid UTF-16-LE unable to generate %s\n" % (
-                                username, a))
-                return None
-            u8 = u.encode('utf-8')
-            return u8
+            creds_for_charcnv = credentials.Credentials()
+            creds_for_charcnv.set_anonymous()
+            creds_for_charcnv.set_utf16_password(get_bytes(b))
+
+            # This can't fail due to character conversion issues as it
+            # includes a built-in fallback (UTF16_MUNGED) matching
+            # exactly what we need.
+            return creds_for_charcnv.get_password().encode()
 
         # Extract the WDigest hash for the value specified by i.
         # Builds an htdigest compatible value
diff --git a/python/samba/netcmd/user/readpasswords/getpassword.py b/python/samba/netcmd/user/readpasswords/getpassword.py
index 9198626a833..dae384347a2 100644
--- a/python/samba/netcmd/user/readpasswords/getpassword.py
+++ b/python/samba/netcmd/user/readpasswords/getpassword.py
@@ -55,10 +55,11 @@ for which virtual attributes are supported in your environment):
                           with '--decrypt-samba-gpg') buffer inside of the
                           supplementalCredentials attribute. This typically
                           contains valid UTF-16-LE, but may contain random
-                          bytes, e.g. for computer accounts.
+                          bytes, e.g. for computer and gMSA accounts.
 
    virtualClearTextUTF8:  As virtualClearTextUTF16, but converted to UTF-8
-                          (only from valid UTF-16-LE).
+                          (invalid UTF-16-LE is mapped in the same way as
+                          Windows).
 
    virtualSSHA:           As virtualClearTextUTF8, but a salted SHA-1
                           checksum, useful for OpenLDAP's '{SSHA}' algorithm.