diff options
author | Ralph Boehme <slow@samba.org> | 2021-01-14 10:42:53 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2021-01-27 16:00:06 +0000 |
commit | 77f07ddb8ee1e5134bc873262165bf693dd01aaf (patch) | |
tree | b3c5c9da2e2d374af02e957a44d0cd9dc9c8a4c9 /source3 | |
parent | 9b717968bd75d04800cbd39d680962d6ddf9c01f (diff) | |
download | samba-77f07ddb8ee1e5134bc873262165bf693dd01aaf.tar.gz |
winbind: check for allowed domains in winbindd_pam_auth_pac_verify()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit da474ddd13d84f07f5da81c843e651844f33a003)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/winbindd/winbindd_pam.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 3375af66821..f27802ee065 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -3325,6 +3325,14 @@ NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state, return result; } + if (!is_allowed_domain(info6->base.logon_domain.string)) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + info6->base.account_name.string, + info6->base.logon_domain.string); + return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; + } + result = map_info6_to_validation(state->mem_ctx, info6, &validation_level, |