git.samba.org / janger / samba-autobuild / .git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f3c47cd)
winbind: check for allowed domains in winbindd_dual_pam_auth()
authorRalph Boehme <slow@samba.org>
Mon, 11 Jan 2021 15:50:31 +0000 (16:50 +0100)
committerKarolin Seeger <kseeger@samba.org>
Thu, 28 Jan 2021 09:17:15 +0000 (09:17 +0000)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14602

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 4cefdf03fec91cdcf700922b1a5ceca02407e259)

source3/winbindd/winbindd_pam.c patch | blob | history

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a3d8716f781df341f6702872b597f49252f1109d..79dc736ca0b045a279af90ca2ca17e7a2ff5eb12 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2404,6 +2404,15 @@ process_result:
                        goto done;
                }
 
+               if (!is_allowed_domain(info3->base.logon_domain.string)) {
+                       DBG_NOTICE("Authentication failed for user [%s] "
+                                  "from firewalled domain [%s]\n",
+                                  info3->base.account_name.string,
+                                  info3->base.logon_domain.string);
+                       result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+                       goto done;
+               }
+
                result = append_auth_data(state->mem_ctx, state->response,
                                          state->request->flags,
                                          validation_level,
Unnamed repository; edit this file 'description' to name the repository.