Generate an appropriate log message in the event of an error
log_group_membership_changes. As the changes have not been applied to
the database, there is no easy way to determine the intended changes.
This information is available in the "dsdbChange" audit messages, to
avoid replicating this logic for what should be a very rare occurrence
we simply log it as a "Failure"
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jan 19 22:32:05 CET 2019 on sn-devel-144
+++ /dev/null
-^samba4.dsdb.samdb.ldb_modules.group_audit.test_log_group_membership_changes_read_new_failure\(none\)
-^samba4.dsdb.samdb.ldb_modules.group_audit.test_log_group_membership_changes_error\(none\)
new_val = ldb_msg_find_element(res->msgs[0], "member");
group_type = ldb_msg_find_attr_as_uint(
res->msgs[0], "groupType", 0);
new_val = ldb_msg_find_element(res->msgs[0], "member");
group_type = ldb_msg_find_attr_as_uint(
res->msgs[0], "groupType", 0);
+ log_membership_changes(acc->module,
+ acc->request,
+ new_val,
+ acc->members,
+ group_type,
+ status);
+ TALLOC_FREE(ctx);
+ return;
- log_membership_changes(acc->module,
- acc->request,
- new_val,
- acc->members,
- group_type,
- status);
+ /*
+ * If we get here either
+ * one of the lower level modules failed and the group record did
+ * not get updated
+ * or
+ * the updated group record could not be read.
+ *
+ * In both cases it does not make sense to log individual membership
+ * changes so we log a group membership change "Failure" message.
+ *
+ */
+ log_membership_change(acc->module,
+ acc->request,
+ "Failure",
+ "",
+ EVT_ID_NONE,
+ status);