winbind: check for allowed domains in winbindd_dual_pam_chauthtok()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 88e92faace7ec17810903166fa3433aa4842a4e3)
author: Ralph Boehme <slow@samba.org> 2021-01-11 17:59:48 +0100
committer: Karolin Seeger <kseeger@samba.org> 2021-02-01 07:50:10 +0000
commit: f0225b0adcbd54bd81684ba7799a4a12c41dc1e7 (patch)
tree: 6b6d30b6d5a311ce02e3c8f0fcee02cad768a977
parent: 888e1d67229bee948c7ef17bdbde517db211e8a6 (diff)
download: samba-f0225b0adcbd54bd81684ba7799a4a12c41dc1e7.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 5e748d3a9d9..28391466153 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2843,6 +2843,14 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
 		goto done;
 	}
 
+	if (!is_allowed_domain(domain)) {
+		DBG_NOTICE("Authentication failed for user [%s] "
+			   "from firewalled domain [%s]\n",
+			   user, domain);
+		result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+		goto done;
+	}
+
 	/* Change password */
 
 	oldpass = state->request->data.chauthtok.oldpass;
author	Ralph Boehme <slow@samba.org>	2021-01-11 17:59:48 +0100
committer	Karolin Seeger <kseeger@samba.org>	2021-02-01 07:50:10 +0000
commit	f0225b0adcbd54bd81684ba7799a4a12c41dc1e7 (patch)
tree	6b6d30b6d5a311ce02e3c8f0fcee02cad768a977
parent	888e1d67229bee948c7ef17bdbde517db211e8a6 (diff)
download	samba-f0225b0adcbd54bd81684ba7799a4a12c41dc1e7.tar.gz