winbind: check for allowed domains in winbindd_dual_pam_chng_pswd_auth_crap()

author Ralph Boehme <slow@samba.org>

Mon, 11 Jan 2021 16:19:05 +0000 (17:19 +0100)

committer Karolin Seeger <kseeger@samba.org>

Thu, 28 Jan 2021 09:17:15 +0000 (09:17 +0000)
author Ralph Boehme <slow@samba.org>
Mon, 11 Jan 2021 16:19:05 +0000 (17:19 +0100)
committer Karolin Seeger <kseeger@samba.org>
Thu, 28 Jan 2021 09:17:15 +0000 (09:17 +0000)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c

index 78565d2854f4c994a42739bd988dde874110d357..477d52da3ed4d5f66997bce817ef84852ec692df 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -3105,6 +3105,15 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
                 fstrcpy(domain,lp_workgroup());
         }
  
+       if (!is_allowed_domain(domain)) {
+               DBG_NOTICE("Authentication failed for user [%s] "
+                          "from firewalled domain [%s]\n",
+                          state->request->data.chng_pswd_auth_crap.user,
+                          domain);
+               result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+               goto done;
+       }
+
         if(!*user) {
                 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
         }
author	Ralph Boehme <slow@samba.org>
	Mon, 11 Jan 2021 16:19:05 +0000 (17:19 +0100)
committer	Karolin Seeger <kseeger@samba.org>
	Thu, 28 Jan 2021 09:17:15 +0000 (09:17 +0000)