From: Ralph Boehme Date: Mon, 11 Jan 2021 16:59:48 +0000 (+0100) Subject: winbind: check for allowed domains in winbindd_dual_pam_chauthtok() X-Git-Tag: tevent-0.11.0~2019 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88e92faace7ec17810903166fa3433aa4842a4e3;p=thirdparty%2Fsamba.git winbind: check for allowed domains in winbindd_dual_pam_chauthtok() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme Reviewed-by: Jeremy Allison --- diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 5dcfeb11b99..3375af66821 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2845,6 +2845,14 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact goto done; } + if (!is_allowed_domain(domain)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + user, domain); + result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + goto done; + } + /* Change password */ oldpass = state->request->data.chauthtok.oldpass;