winbind: check for allowed domains in winbindd_pam_auth_pac_verify()

author Ralph Boehme <slow@samba.org>

Thu, 14 Jan 2021 09:42:53 +0000 (10:42 +0100)

committer Karolin Seeger <kseeger@samba.org>

Thu, 28 Jan 2021 09:17:15 +0000 (09:17 +0000)
author Ralph Boehme <slow@samba.org>
Thu, 14 Jan 2021 09:42:53 +0000 (10:42 +0100)
committer Karolin Seeger <kseeger@samba.org>
Thu, 28 Jan 2021 09:17:15 +0000 (09:17 +0000)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c

index d7cbcffa6b96150db40b8a06e2ad5ab891380996..94416498be7689216c82c83d9bc97c64d1c239ab 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -3324,6 +3324,14 @@ NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
                 return result;
         }
  
+       if (!is_allowed_domain(info6->base.logon_domain.string)) {
+               DBG_NOTICE("Authentication failed for user [%s] "
+                          "from firewalled domain [%s]\n",
+                          info6->base.account_name.string,
+                          info6->base.logon_domain.string);
+               return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+       }
+
         result = map_info6_to_validation(state->mem_ctx,
                                          info6,
                                          &validation_level,
author	Ralph Boehme <slow@samba.org>
	Thu, 14 Jan 2021 09:42:53 +0000 (10:42 +0100)
committer	Karolin Seeger <kseeger@samba.org>
	Thu, 28 Jan 2021 09:17:15 +0000 (09:17 +0000)