From: Ralph Boehme Date: Mon, 11 Jan 2021 16:19:05 +0000 (+0100) Subject: winbind: check for allowed domains in winbindd_dual_pam_chng_pswd_auth_crap() X-Git-Tag: tevent-0.11.0~2020 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4bc17600bc50fbc0e54d9d019d8db67001fc3eef;p=thirdparty%2Fsamba.git winbind: check for allowed domains in winbindd_dual_pam_chng_pswd_auth_crap() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 25ebd82c638..5dcfeb11b99 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -3106,6 +3106,15 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai fstrcpy(domain,lp_workgroup()); } + if (!is_allowed_domain(domain)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + state->request->data.chng_pswd_auth_crap.user, + domain); + result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + goto done; + } + if(!*user) { fstrcpy(user, state->request->data.chng_pswd_auth_crap.user); }