winbind: check for allowed domains in winbindd_dual_pam_chauthtok()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 88e92faace7ec17810903166fa3433aa4842a4e3)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 477d52da3ed4d5f66997bce817ef84852ec692df..d7cbcffa6b96150db40b8a06e2ad5ab891380996 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2844,6 +2844,14 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
                goto done;
        }
 
+       if (!is_allowed_domain(domain)) {
+               DBG_NOTICE("Authentication failed for user [%s] "
+                          "from firewalled domain [%s]\n",
+                          user, domain);
+               result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+               goto done;
+       }
+
        /* Change password */
 
        oldpass = state->request->data.chauthtok.oldpass;