winbind: check for allowed domains in winbindd_pam_auth_pac_verify()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit da474ddd13d84f07f5da81c843e651844f33a003)

diff --git a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain b/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain
deleted file mode 100644 (file)
index e1eedc9..0000000
--- a/selftest/knownfail.d/samba3.blackbox.winbind_ignore_domain
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_ntlm_fqdn\(ad_member_idmap_ad:local\)
-^samba3.blackbox.winbind_ignore_domain.test_winbind_ignore_domains_fail_krb5\(ad_member_idmap_ad:local\)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 28391466153b68bb482a93ebbfb1542cd5a7ce69..c49033b375dfc43ef14fe11968ddca1c333c8f20 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -3323,6 +3323,14 @@ NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
                return result;
        }
 
+       if (!is_allowed_domain(info6->base.logon_domain.string)) {
+               DBG_NOTICE("Authentication failed for user [%s] "
+                          "from firewalled domain [%s]\n",
+                          info6->base.account_name.string,
+                          info6->base.logon_domain.string);
+               return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+       }
+
        result = map_info6_to_validation(state->mem_ctx,
                                         info6,
                                         &validation_level,