From 8b67a86584d20b59a1e2af7c37f342870a505192 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 11 Dec 2023 20:49:44 +1300
Subject: [PATCH] samba-tool: Add support for getting the generated unicodePwd
 for a gMSA account

This pre-hashed value may be more practical to use than the random "UTF-16"
password.  In particular it is easy to compare with the DB values.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 python/samba/netcmd/user/readpasswords/common.py | 10 ++++++++++
 selftest/knownfail.d/samba_tool_user             |  1 +
 2 files changed, 11 insertions(+)
 create mode 100644 selftest/knownfail.d/samba_tool_user

diff --git a/python/samba/netcmd/user/readpasswords/common.py b/python/samba/netcmd/user/readpasswords/common.py
index d8523fbe804..acb412b90e0 100644
--- a/python/samba/netcmd/user/readpasswords/common.py
+++ b/python/samba/netcmd/user/readpasswords/common.py
@@ -99,6 +99,9 @@ virtual_attributes = {
     "virtualSambaGPG": {
         "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF,
     },
+    "unicodePwd": {
+        "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF,
+    },
 }
 
 
@@ -725,6 +728,13 @@ class GetPasswordCommand(Command):
                 v = kerberos_salt
                 if v is None:
                     continue
+            elif a == "unicodePwd" and "Primary:CLEARTEXT" in calculated and unicodePwd is None:
+                # We can't read unicodePwd directly, but we can regenerate
+                # it from msDS-ManagedPassword
+                tmp = credentials.Credentials()
+                tmp.set_anonymous()
+                tmp.set_utf16_password(calculated["Primary:CLEARTEXT"])
+                v = tmp.get_nt_hash()
             elif a.startswith("virtualWDigest"):
                 primary_wdigest = get_package("Primary:WDigest")
                 if primary_wdigest is None:
diff --git a/selftest/knownfail.d/samba_tool_user b/selftest/knownfail.d/samba_tool_user
new file mode 100644
index 00000000000..a558a1f8979
--- /dev/null
+++ b/selftest/knownfail.d/samba_tool_user
@@ -0,0 +1 @@
+^samba.tests.samba_tool.user.samba.tests.samba_tool.user.UserCmdTestCase.test_setpassword\(ad_dc_no_ntlm