CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() logic to is_allowed_domain()

is_allowed_domain() is a central place we already use to
trigger NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, so
we can add additional logic there.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c
index 630a25875c7b73ba83a34b852a4ba3e83066fde1..876035cbe29c1a7f5e6a3e51b2026832e14c7984 100644 (file)
--- a/source3/lib/util_names.c
+++ b/source3/lib/util_names.c
@@ -200,5 +200,18 @@ bool is_allowed_domain(const char *domain_name)
                }
        }
 
-       return true;
+       if (lp_allow_trusted_domains()) {
+               return true;
+       }
+
+       if (strequal(lp_workgroup(), domain_name)) {
+               return true;
+       }
+
+       if (is_myname(domain_name)) {
+               return true;
+       }
+
+       DBG_NOTICE("Not trusted domain '%s'\n", domain_name);
+       return false;
 }