1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

group_audit: error handling in group change

Generate an appropriate log message in the event of an error
log_group_membership_changes.  As the changes have not been applied to
the database, there is no easy way to determine the intended changes.
This information is available in the "dsdbChange" audit messages, to
avoid replicating this logic for what should be a very rare occurrence
we simply log it as a "Failure"

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jan 19 22:32:05 CET 2019 on sn-devel-144
This commit is contained in:
Gary Lockyer 2019-01-08 14:24:06 +13:00 committed by Andrew Bartlett
parent 942567afda
commit 60aa7b3634
2 changed files with 25 additions and 8 deletions

View File

@ -1,2 +0,0 @@
^samba4.dsdb.samdb.ldb_modules.group_audit.test_log_group_membership_changes_read_new_failure\(none\)
^samba4.dsdb.samdb.ldb_modules.group_audit.test_log_group_membership_changes_error\(none\)

View File

@ -1012,14 +1012,33 @@ static void log_group_membership_changes(
new_val = ldb_msg_find_element(res->msgs[0], "member");
group_type = ldb_msg_find_attr_as_uint(
res->msgs[0], "groupType", 0);
log_membership_changes(acc->module,
acc->request,
new_val,
acc->members,
group_type,
status);
TALLOC_FREE(ctx);
return;
}
}
log_membership_changes(acc->module,
acc->request,
new_val,
acc->members,
group_type,
status);
/*
* If we get here either
* one of the lower level modules failed and the group record did
* not get updated
* or
* the updated group record could not be read.
*
* In both cases it does not make sense to log individual membership
* changes so we log a group membership change "Failure" message.
*
*/
log_membership_change(acc->module,
acc->request,
"Failure",
"",
EVT_ID_NONE,
status);
TALLOC_FREE(ctx);
}