diff options
author | Andrew Bartlett <abartlet@samba.org> | 2021-04-15 14:44:22 +1200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2021-05-03 07:17:09 +0000 |
commit | 54ef0e6d6bb99303562c67c23de50067b8a5a6b2 (patch) | |
tree | b0bd0f704f5cfde17d2432139d3214d041b483c1 /docs-xml | |
parent | 990997cae28dc427eeb4d5235ba6b093a4015de0 (diff) | |
download | samba-54ef0e6d6bb99303562c67c23de50067b8a5a6b2.tar.gz |
docs: Add proper explination on why transactions need to be audited.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a778a3a6420f094a953563b87f84457fdebd20a3)
Diffstat (limited to 'docs-xml')
-rw-r--r-- | docs-xml/smbdotconf/logging/loglevel.xml | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml index 9bf8659cb92..6480c575060 100644 --- a/docs-xml/smbdotconf/logging/loglevel.xml +++ b/docs-xml/smbdotconf/logging/loglevel.xml @@ -97,11 +97,24 @@ <para>Transaction rollbacks and prepare commit failures are logged under the dsdb_transaction_audit and a JSON representation is logged under the - password_json_audit. Logging the transaction details allows the - identification of password and sam.ldb operations that have been rolled - back.</para> + dsdb_transaction_json_audit. </para> + <para>Transaction roll-backs are possible in Samba, and whilst + they rarely reflect anything more than the failure of an + individual operation (say due to the add of a conflicting record), + they are possible. Audit logs are already generated and sent to + the system logs before the transaction is complete. Logging the + transaction details allows the identification of password and + <command moreinfo="none">sam.ldb</command> operations that have + been rolled back, and so have not actually persisted.</para> + <warning><para> Changes to <command + moreinfo="none">sam.ldb</command> made locally by the <command + moreinfo="none">root</command> user with direct access to the + database are not logged to the system logs, but to the + administrator's own console. While less than ideal, any user able + to make such modifications could disable the audit logging in any + case. </para></warning> </description> <value type="default">0</value> <value type="example">3 passdb:5 auth:10 winbind:2</value> |