From: Andrew Bartlett Date: Mon, 11 Dec 2023 07:49:44 +0000 (+1300) Subject: samba-tool: Add support for getting the generated unicodePwd for a gMSA account X-Git-Tag: talloc-2.4.2~247 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8b67a86584d20b59a1e2af7c37f342870a505192;p=thirdparty%2Fsamba.git samba-tool: Add support for getting the generated unicodePwd for a gMSA account This pre-hashed value may be more practical to use than the random "UTF-16" password. In particular it is easy to compare with the DB values. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- diff --git a/python/samba/netcmd/user/readpasswords/common.py b/python/samba/netcmd/user/readpasswords/common.py index d8523fbe804..acb412b90e0 100644 --- a/python/samba/netcmd/user/readpasswords/common.py +++ b/python/samba/netcmd/user/readpasswords/common.py @@ -99,6 +99,9 @@ virtual_attributes = { "virtualSambaGPG": { "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF, }, + "unicodePwd": { + "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF, + }, } @@ -725,6 +728,13 @@ class GetPasswordCommand(Command): v = kerberos_salt if v is None: continue + elif a == "unicodePwd" and "Primary:CLEARTEXT" in calculated and unicodePwd is None: + # We can't read unicodePwd directly, but we can regenerate + # it from msDS-ManagedPassword + tmp = credentials.Credentials() + tmp.set_anonymous() + tmp.set_utf16_password(calculated["Primary:CLEARTEXT"]) + v = tmp.get_nt_hash() elif a.startswith("virtualWDigest"): primary_wdigest = get_package("Primary:WDigest") if primary_wdigest is None: diff --git a/selftest/knownfail.d/samba_tool_user b/selftest/knownfail.d/samba_tool_user new file mode 100644 index 00000000000..a558a1f8979 --- /dev/null +++ b/selftest/knownfail.d/samba_tool_user @@ -0,0 +1 @@ +^samba.tests.samba_tool.user.samba.tests.samba_tool.user.UserCmdTestCase.test_setpassword\(ad_dc_no_ntlm