group_audit: error handling in group change

Generate an appropriate log message in the event of an error
log_group_membership_changes.  As the changes have not been applied to
the database, there is no easy way to determine the intended changes.
This information is available in the "dsdbChange" audit messages, to
avoid replicating this logic for what should be a very rare occurrence
we simply log it as a "Failure"

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jan 19 22:32:05 CET 2019 on sn-devel-144

diff --git a/selftest/knownfail.d/group_audit b/selftest/knownfail.d/group_audit
deleted file mode 100644 (file)
index 4f5855f..0000000
--- a/selftest/knownfail.d/group_audit
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba4.dsdb.samdb.ldb_modules.group_audit.test_log_group_membership_changes_read_new_failure\(none\)
-^samba4.dsdb.samdb.ldb_modules.group_audit.test_log_group_membership_changes_error\(none\)

diff --git a/source4/dsdb/samdb/ldb_modules/group_audit.c b/source4/dsdb/samdb/ldb_modules/group_audit.c
index 4356046f67514bbb97fc2fdb32a5a3b5bd9ee0a1..dd991bfbb0707de83244cd4299c982b19c97c0c5 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/group_audit.c
+++ b/source4/dsdb/samdb/ldb_modules/group_audit.c
@@ -1012,14 +1012,33 @@ static void log_group_membership_changes(
                        new_val = ldb_msg_find_element(res->msgs[0], "member");
                        group_type = ldb_msg_find_attr_as_uint(
                            res->msgs[0], "groupType", 0);
+                       log_membership_changes(acc->module,
+                                              acc->request,
+                                              new_val,
+                                              acc->members,
+                                              group_type,
+                                              status);
+                       TALLOC_FREE(ctx);
+                       return;
                }
        }
-       log_membership_changes(acc->module,
-                              acc->request,
-                              new_val,
-                              acc->members,
-                              group_type,
-                              status);
+       /*
+        * If we get here either
+        *   one of the lower level modules failed and the group record did
+        *   not get updated
+        * or
+        *   the updated group record could not be read.
+        *
+        * In both cases it does not make sense to log individual membership
+        * changes so we log a group membership change "Failure" message.
+        *
+        */
+       log_membership_change(acc->module,
+                             acc->request,
+                             "Failure",
+                             "",
+                             EVT_ID_NONE,
+                             status);
        TALLOC_FREE(ctx);
 }