From 3505998d0a76011f21b8238e1beb9369f709c11d Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Mon, 11 Jan 2021 17:59:48 +0100
Subject: [PATCH] winbind: check for allowed domains in
 winbindd_dual_pam_chauthtok()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 88e92faace7ec17810903166fa3433aa4842a4e3)
---
 source3/winbindd/winbindd_pam.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 477d52da3ed..d7cbcffa6b9 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2844,6 +2844,14 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
 		goto done;
 	}
 
+	if (!is_allowed_domain(domain)) {
+		DBG_NOTICE("Authentication failed for user [%s] "
+			   "from firewalled domain [%s]\n",
+			   user, domain);
+		result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+		goto done;
+	}
+
 	/* Change password */
 
 	oldpass = state->request->data.chauthtok.oldpass;
-- 
2.47.2