winbind: check for allowed domains in winbindd_dual_pam_auth()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 4cefdf03fec91cdcf700922b1a5ceca02407e259)
author: Ralph Boehme <slow@samba.org> 2021-01-11 16:50:31 +0100
committer: Karolin Seeger <kseeger@samba.org> 2021-01-28 09:17:15 +0000
commit: 56d9705ca7618856e735447c4a54b256fdbbf5b5 (patch)
tree: ddab59ad32e647d6b79ee5afcc22b26a75759288
parent: f3c47cdc1d3fe5a03879bec7f2892a393e3b0211 (diff)
download: samba-56d9705ca7618856e735447c4a54b256fdbbf5b5.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a3d8716f781..79dc736ca0b 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2404,6 +2404,15 @@ process_result:
 			goto done;
 		}
 
+		if (!is_allowed_domain(info3->base.logon_domain.string)) {
+			DBG_NOTICE("Authentication failed for user [%s] "
+				   "from firewalled domain [%s]\n",
+				   info3->base.account_name.string,
+				   info3->base.logon_domain.string);
+			result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+			goto done;
+		}
+
 		result = append_auth_data(state->mem_ctx, state->response,
 					  state->request->flags,
 					  validation_level,
author	Ralph Boehme <slow@samba.org>	2021-01-11 16:50:31 +0100
committer	Karolin Seeger <kseeger@samba.org>	2021-01-28 09:17:15 +0000
commit	56d9705ca7618856e735447c4a54b256fdbbf5b5 (patch)
tree	ddab59ad32e647d6b79ee5afcc22b26a75759288
parent	f3c47cdc1d3fe5a03879bec7f2892a393e3b0211 (diff)
download	samba-56d9705ca7618856e735447c4a54b256fdbbf5b5.tar.gz