diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index cab11d635d2..6bd8262ad04 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -962,6 +962,11 @@ accountExpires: %u
     domain_sid = property(get_domain_sid, set_domain_sid,
                           doc="SID for the domain")
 
+    def get_connecting_user_sid(self):
+        """Returns the SID of the connected user."""
+        msg = self.search(base="", scope=ldb.SCOPE_BASE, attrs=["tokenGroups"])[0]
+        return str(ndr_unpack(security.dom_sid, msg["tokenGroups"][0]))
+
     def set_invocation_id(self, invocation_id):
         """Set the invocation id for this SamDB handle.
 
diff --git a/python/samba/tests/samba_tool/user_getpassword_gmsa.py b/python/samba/tests/samba_tool/user_getpassword_gmsa.py
index 95187703f41..967ec9e49c3 100644
--- a/python/samba/tests/samba_tool/user_getpassword_gmsa.py
+++ b/python/samba/tests/samba_tool/user_getpassword_gmsa.py
@@ -69,8 +69,7 @@ class GMSAPasswordTest(BlackboxTestCase):
         cls.base_dn = f"CN=Managed Service Accounts,{cls.samdb.domain_dn()}"
         cls.user_dn = f"CN={cls.username},{cls.base_dn}"
 
-        msg = cls.samdb.search(base="", scope=SCOPE_BASE, attrs=["tokenGroups"])[0]
-        connecting_user_sid = str(ndr_unpack(security.dom_sid, msg["tokenGroups"][0]))
+        connecting_user_sid = cls.samdb.get_connecting_user_sid()
 
         domain_sid = security.dom_sid(cls.samdb.get_domain_sid())
         allow_sddl = f"O:SYD:(A;;RP;;;{connecting_user_sid})"