From: Matthieu Patou Date: Mon, 30 Jan 2012 08:05:08 +0000 (-0800) Subject: s3-winbind: don't try to do clever thing if the username is not found while authentic... X-Git-Tag: tevent-0.9.15~142 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=56d5cb938651b9c67a8400d1adc61a23889a6a29;p=thirdparty%2Fsamba.git s3-winbind: don't try to do clever thing if the username is not found while authenticating through winbind This could cause that we authenticate a user with a bogus domain to winbind's domain if the password supplied for the PAM_AUTH match. The problem was reported by Jeff Venable (jvenable@juniper.net). Patch from Andrew Bartlett (abartlett@samba.org). Autobuild-User: Matthieu Patou Autobuild-Date: Mon Jan 30 18:58:12 CET 2012 on sn-devel-104 --- diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 41f38a421d7..93034adb84f 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1079,7 +1079,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", state->request->data.auth.user, name_domain, name_user, name_domain)); - contact_domain = find_our_domain(); + result = NT_STATUS_NO_SUCH_USER; + goto done; } }