samba-tool user getpassword: Use UTF16_MUNGED charcnv to map "UTF16" to UTF8

This copes with random invalid UTF-16 as seen with gMSA accounts.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/python/samba/netcmd/user/readpasswords/common.py b/python/samba/netcmd/user/readpasswords/common.py
index 8c20de556ea5a9c125f627e40f9a973fa5ec653e..e294cafbdf6a8c64d2afa65f396b34abcbec922d 100644 (file)
--- a/python/samba/netcmd/user/readpasswords/common.py
+++ b/python/samba/netcmd/user/readpasswords/common.py
@@ -454,14 +454,14 @@ class GetPasswordCommand(Command):
                             username or account_name, e))
 
         def get_utf8(a, b, username):
-            try:
-                u = str(get_bytes(b), 'utf-16-le')
-            except UnicodeDecodeError as e:
-                self.outf.write("WARNING: '%s': CLEARTEXT is invalid UTF-16-LE unable to generate %s\n" % (
-                                username, a))
-                return None
-            u8 = u.encode('utf-8')
-            return u8
+            creds_for_charcnv = credentials.Credentials()
+            creds_for_charcnv.set_anonymous()
+            creds_for_charcnv.set_utf16_password(get_bytes(b))
+
+            # This can't fail due to character conversion issues as it
+            # includes a built-in fallback (UTF16_MUNGED) matching
+            # exactly what we need.
+            return creds_for_charcnv.get_password().encode()
 
         # Extract the WDigest hash for the value specified by i.
         # Builds an htdigest compatible value

diff --git a/python/samba/netcmd/user/readpasswords/getpassword.py b/python/samba/netcmd/user/readpasswords/getpassword.py
index 9198626a833370d727ae18ff018950b6d65b16f1..dae384347a2e7a419c029c1ddfad9e7e51794776 100644 (file)
--- a/python/samba/netcmd/user/readpasswords/getpassword.py
+++ b/python/samba/netcmd/user/readpasswords/getpassword.py
@@ -55,10 +55,11 @@ for which virtual attributes are supported in your environment):
                           with '--decrypt-samba-gpg') buffer inside of the
                           supplementalCredentials attribute. This typically
                           contains valid UTF-16-LE, but may contain random
-                          bytes, e.g. for computer accounts.
+                          bytes, e.g. for computer and gMSA accounts.
 
    virtualClearTextUTF8:  As virtualClearTextUTF16, but converted to UTF-8
-                          (only from valid UTF-16-LE).
+                          (invalid UTF-16-LE is mapped in the same way as
+                          Windows).
 
    virtualSSHA:           As virtualClearTextUTF8, but a salted SHA-1
                           checksum, useful for OpenLDAP's '{SSHA}' algorithm.