winbind: check for allowed domains in winbindd_pam_auth_pac_verify()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit da474ddd13d84f07f5da81c843e651844f33a003)
author: Ralph Boehme <slow@samba.org> 2021-01-14 10:42:53 +0100
committer: Karolin Seeger <kseeger@samba.org> 2021-01-27 16:00:06 +0000
commit: 77f07ddb8ee1e5134bc873262165bf693dd01aaf (patch)
tree: b3c5c9da2e2d374af02e957a44d0cd9dc9c8a4c9 /source3
parent: 9b717968bd75d04800cbd39d680962d6ddf9c01f (diff)
download: samba-77f07ddb8ee1e5134bc873262165bf693dd01aaf.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 3375af66821..f27802ee065 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -3325,6 +3325,14 @@ NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
 		return result;
 	}
 
+	if (!is_allowed_domain(info6->base.logon_domain.string)) {
+		DBG_NOTICE("Authentication failed for user [%s] "
+			   "from firewalled domain [%s]\n",
+			   info6->base.account_name.string,
+			   info6->base.logon_domain.string);
+		return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+	}
+
 	result = map_info6_to_validation(state->mem_ctx,
 					 info6,
 					 &validation_level,
author	Ralph Boehme <slow@samba.org>	2021-01-14 10:42:53 +0100
committer	Karolin Seeger <kseeger@samba.org>	2021-01-27 16:00:06 +0000
commit	77f07ddb8ee1e5134bc873262165bf693dd01aaf (patch)
tree	b3c5c9da2e2d374af02e957a44d0cd9dc9c8a4c9 /source3
parent	9b717968bd75d04800cbd39d680962d6ddf9c01f (diff)
download	samba-77f07ddb8ee1e5134bc873262165bf693dd01aaf.tar.gz