From 06b77c75a67f6478f1956c597d37dc495061b232 Mon Sep 17 00:00:00 2001 From: Matthieu Patou Date: Mon, 30 Jan 2012 00:05:08 -0800 Subject: [PATCH] s3-winbind: don't try to do clever thing if the username is not found while authenticating through winbind This could cause that we authenticate a user with a bogus domain to winbind's domain if the password supplied for the PAM_AUTH match. The problem was reported by Jeff Venable (jvenable@juniper.net). Patch from Andrew Bartlett (abartlett@samba.org). Autobuild-User: Matthieu Patou Autobuild-Date: Mon Jan 30 18:58:12 CET 2012 on sn-devel-104 (cherry picked from commit 56d5cb938651b9c67a8400d1adc61a23889a6a29) --- source3/winbindd/winbindd_pam.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index bde16b1..79189ba 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1078,7 +1078,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", state->request->data.auth.user, name_domain, name_user, name_domain)); - contact_domain = find_our_domain(); + result = NT_STATUS_NO_SUCH_USER; + goto done; } } -- 1.7.7.3