From 2a73dfcf27a7407f932112fd978fc84d47d29682 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Mon, 11 Jan 2021 17:10:19 +0100
Subject: [PATCH] winbind: check for allowed domains in
 winbindd_dual_pam_auth_crap()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit c17bc9c6115e4e92132f3cb912547eac78227938)
[slow@samba.org: removed knownfail entry]
---
 source3/winbindd/winbindd_pam.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 79dc736ca0b..78565d2854f 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2766,6 +2766,16 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 			goto done;
 		}
 
+		if (!is_allowed_domain(info3->base.logon_domain.string)) {
+			DBG_NOTICE("Authentication failed for user [%s] "
+				   "from firewalled domain [%s]\n",
+				   info3->base.account_name.string,
+				   info3->base.logon_domain.string);
+			state->response->data.auth.authoritative = true;
+			result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+			goto done;
+		}
+
 		result = append_auth_data(state->mem_ctx, state->response,
 					  state->request->flags,
 					  validation_level,
-- 
2.47.2