s3-winbind: don't try to do clever thing if the username is not found while authentic...

This could cause that we authenticate a user with a bogus domain to
winbind's domain if the password supplied for the PAM_AUTH match.

The problem was reported by Jeff Venable (jvenable@juniper.net).
Patch from Andrew Bartlett (abartlett@samba.org).

Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Mon Jan 30 18:58:12 CET 2012 on sn-devel-104

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 41f38a421d71d25f5cd97077521c60ef73a3e73f..93034adb84f9ac4e715dca95f2fbf8129fa9c1ad 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1079,7 +1079,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
                        DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
                                  state->request->data.auth.user, name_domain, name_user, name_domain));
 
-                       contact_domain = find_our_domain();
+                       result =  NT_STATUS_NO_SUCH_USER;
+                       goto done;
                }
        }