winbind: check for allowed domains in winbindd_dual_pam_chng_pswd_auth_crap()

author Ralph Boehme <slow@samba.org>

Mon, 11 Jan 2021 16:19:05 +0000 (17:19 +0100)

committer Karolin Seeger <kseeger@samba.org>

Mon, 1 Feb 2021 07:50:10 +0000 (07:50 +0000)
author Ralph Boehme <slow@samba.org>
Mon, 11 Jan 2021 16:19:05 +0000 (17:19 +0100)
committer Karolin Seeger <kseeger@samba.org>
Mon, 1 Feb 2021 07:50:10 +0000 (07:50 +0000)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c

index 732b27842cbcea0a35ee0be8edf4d687282a465e..5e748d3a9d992366df814ed10050749c0f2e7894 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -3104,6 +3104,15 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
                 fstrcpy(domain,lp_workgroup());
         }
  
+       if (!is_allowed_domain(domain)) {
+               DBG_NOTICE("Authentication failed for user [%s] "
+                          "from firewalled domain [%s]\n",
+                          state->request->data.chng_pswd_auth_crap.user,
+                          domain);
+               result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+               goto done;
+       }
+
         if(!*user) {
                 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
         }
author	Ralph Boehme <slow@samba.org>
	Mon, 11 Jan 2021 16:19:05 +0000 (17:19 +0100)
committer	Karolin Seeger <kseeger@samba.org>
	Mon, 1 Feb 2021 07:50:10 +0000 (07:50 +0000)