From 56d5cb938651b9c67a8400d1adc61a23889a6a29 Mon Sep 17 00:00:00 2001
From: Matthieu Patou <mat@matws.net>
Date: Mon, 30 Jan 2012 00:05:08 -0800
Subject: s3-winbind: don't try to do clever thing if the username is not found
 while authenticating through winbind

This could cause that we authenticate a user with a bogus domain to
winbind's domain if the password supplied for the PAM_AUTH match.

The problem was reported by Jeff Venable (jvenable@juniper.net).
Patch from Andrew Bartlett (abartlett@samba.org).

Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Mon Jan 30 18:58:12 CET 2012 on sn-devel-104
---
 source3/winbindd/winbindd_pam.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'source3')

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 41f38a421d..93034adb84 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1079,7 +1079,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
 			DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
 				  state->request->data.auth.user, name_domain, name_user, name_domain));
 
-			contact_domain = find_our_domain();
+			result =  NT_STATUS_NO_SUCH_USER;
+			goto done;
 		}
 	}
 
-- 
cgit