winbind: check for allowed domains in winbindd_dual_pam_auth()

author Ralph Boehme <slow@samba.org>

Mon, 11 Jan 2021 15:50:31 +0000 (16:50 +0100)

committer Karolin Seeger <kseeger@samba.org>

Mon, 1 Feb 2021 07:50:10 +0000 (07:50 +0000)
author Ralph Boehme <slow@samba.org>
Mon, 11 Jan 2021 15:50:31 +0000 (16:50 +0100)
committer Karolin Seeger <kseeger@samba.org>
Mon, 1 Feb 2021 07:50:10 +0000 (07:50 +0000)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c

index b5850a33b0f074fea0b1e1abedb33f07870611a6..428fc2398d4fcdcb342b412c34cf0ba140010a8f 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2403,6 +2403,15 @@ process_result:
                         goto done;
                 }
  
+               if (!is_allowed_domain(info3->base.logon_domain.string)) {
+                       DBG_NOTICE("Authentication failed for user [%s] "
+                                  "from firewalled domain [%s]\n",
+                                  info3->base.account_name.string,
+                                  info3->base.logon_domain.string);
+                       result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+                       goto done;
+               }
+
                 result = append_auth_data(state->mem_ctx, state->response,
                                           state->request->flags,
                                           validation_level,
author	Ralph Boehme <slow@samba.org>
	Mon, 11 Jan 2021 15:50:31 +0000 (16:50 +0100)
committer	Karolin Seeger <kseeger@samba.org>
	Mon, 1 Feb 2021 07:50:10 +0000 (07:50 +0000)