From: Ralph Boehme <slow@samba.org>
Date: Mon, 11 Jan 2021 16:19:05 +0000 (+0100)
Subject: winbind: check for allowed domains in winbindd_dual_pam_chng_pswd_auth_crap()
X-Git-Tag: samba-4.12.12~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cf410814e252886b8bce28289654a237616d8a52;p=thirdparty%2Fsamba.git

winbind: check for allowed domains in winbindd_dual_pam_chng_pswd_auth_crap()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 4bc17600bc50fbc0e54d9d019d8db67001fc3eef)
---

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 78565d2854f..477d52da3ed 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -3105,6 +3105,15 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
 		fstrcpy(domain,lp_workgroup());
 	}
 
+	if (!is_allowed_domain(domain)) {
+		DBG_NOTICE("Authentication failed for user [%s] "
+			   "from firewalled domain [%s]\n",
+			   state->request->data.chng_pswd_auth_crap.user,
+			   domain);
+		result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+		goto done;
+	}
+
 	if(!*user) {
 		fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
 	}