diff options
author | Ralph Boehme <slow@samba.org> | 2021-01-11 17:59:48 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2021-02-01 07:50:10 +0000 |
commit | f0225b0adcbd54bd81684ba7799a4a12c41dc1e7 (patch) | |
tree | 6b6d30b6d5a311ce02e3c8f0fcee02cad768a977 | |
parent | 888e1d67229bee948c7ef17bdbde517db211e8a6 (diff) | |
download | samba-f0225b0adcbd54bd81684ba7799a4a12c41dc1e7.tar.gz |
winbind: check for allowed domains in winbindd_dual_pam_chauthtok()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 88e92faace7ec17810903166fa3433aa4842a4e3)
-rw-r--r-- | source3/winbindd/winbindd_pam.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 5e748d3a9d9..28391466153 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2843,6 +2843,14 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact goto done; } + if (!is_allowed_domain(domain)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + user, domain); + result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + goto done; + } + /* Change password */ oldpass = state->request->data.chauthtok.oldpass; |