From: Ralph Boehme <slow@samba.org>
Date: Thu, 14 Jan 2021 09:42:53 +0000 (+0100)
Subject: winbind: check for allowed domains in winbindd_pam_auth_pac_verify()
X-Git-Tag: samba-4.12.12~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7362b5b31cd75ab1f8cdd84fb0a800376d097e2c;p=thirdparty%2Fsamba.git

winbind: check for allowed domains in winbindd_pam_auth_pac_verify()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit da474ddd13d84f07f5da81c843e651844f33a003)
---

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index d7cbcffa6b9..94416498be7 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -3324,6 +3324,14 @@ NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
 		return result;
 	}
 
+	if (!is_allowed_domain(info6->base.logon_domain.string)) {
+		DBG_NOTICE("Authentication failed for user [%s] "
+			   "from firewalled domain [%s]\n",
+			   info6->base.account_name.string,
+			   info6->base.logon_domain.string);
+		return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+	}
+
 	result = map_info6_to_validation(state->mem_ctx,
 					 info6,
 					 &validation_level,