diff options
| author | Rob van der Linde <rob@catalyst.net.nz> | 2023-12-01 16:14:16 +1300 |
|---|---|---|
| committer | Douglas Bagnall <dbagnall@samba.org> | 2023-12-21 02:05:38 +0000 |
| commit | 9557140f1969650192569da2168677195de01933 (patch) | |
| tree | f5e913a8866cac122de8ce2d6ade06156f5c69a3 /python | |
| parent | 23326105cd612d8c1fea1a4d7f1f3c5117d5a674 (diff) | |
| download | samba-9557140f1969650192569da2168677195de01933.tar.gz samba-9557140f1969650192569da2168677195de01933.tar.bz2 samba-9557140f1969650192569da2168677195de01933.zip | |
netcmd: user: samba-tool support to allow non-windows use of GMSA accounts (show password)
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Diffstat (limited to 'python')
| -rw-r--r-- | python/samba/netcmd/user/readpasswords/common.py | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/python/samba/netcmd/user/readpasswords/common.py b/python/samba/netcmd/user/readpasswords/common.py index e294cafbdf6..d8523fbe804 100644 --- a/python/samba/netcmd/user/readpasswords/common.py +++ b/python/samba/netcmd/user/readpasswords/common.py @@ -30,7 +30,7 @@ import ldb from samba import credentials, nttime2float from samba.auth import system_session from samba.common import get_bytes, get_string -from samba.dcerpc import drsblobs, security +from samba.dcerpc import drsblobs, security, gmsa from samba.ndr import ndr_unpack from samba.netcmd import Command, CommandError from samba.samdb import SamDB @@ -323,6 +323,7 @@ class GetPasswordCommand(Command): required_attrs = [ "supplementalCredentials", "unicodePwd", + "msDS-ManagedPassword", ] for required_attr in required_attrs: a = parse_raw_attr(required_attr, is_hidden=True) @@ -350,6 +351,8 @@ class GetPasswordCommand(Command): raise CommandError("Failed to get password for user '%s': %s" % (username or filter, msg)) obj = res[0] + calculated = {} + sc = None unicodePwd = None if "supplementalCredentials" in obj: @@ -357,6 +360,15 @@ class GetPasswordCommand(Command): sc = ndr_unpack(drsblobs.supplementalCredentialsBlob, sc_blob) if "unicodePwd" in obj: unicodePwd = obj["unicodePwd"][0] + if "msDS-ManagedPassword" in obj: + # unpack a GMSA managed password as if we could read the + # hidden password attributes. + managed_password = obj["msDS-ManagedPassword"][0] + unpacked_managed_password = ndr_unpack(gmsa.MANAGEDPASSWORD_BLOB, + managed_password) + calculated["Primary:CLEARTEXT"] = \ + unpacked_managed_password.passwords.current + account_name = str(obj["sAMAccountName"][0]) if "userPrincipalName" in obj: account_upn = str(obj["userPrincipalName"][0]) @@ -364,8 +376,6 @@ class GetPasswordCommand(Command): realm = samdb.domain_dns_name() account_upn = "%s@%s" % (account_name, realm.lower()) - calculated = {} - def get_package(name, min_idx=0): if name in calculated: return calculated[name] |