summaryrefslogtreecommitdiff
path: root/docs-xml
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2021-04-15 14:44:22 +1200
committerKarolin Seeger <kseeger@samba.org>2021-05-03 07:17:09 +0000
commit54ef0e6d6bb99303562c67c23de50067b8a5a6b2 (patch)
treeb0bd0f704f5cfde17d2432139d3214d041b483c1 /docs-xml
parent990997cae28dc427eeb4d5235ba6b093a4015de0 (diff)
downloadsamba-54ef0e6d6bb99303562c67c23de50067b8a5a6b2.tar.gz
docs: Add proper explination on why transactions need to be audited.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit a778a3a6420f094a953563b87f84457fdebd20a3)
Diffstat (limited to 'docs-xml')
-rw-r--r--docs-xml/smbdotconf/logging/loglevel.xml19
1 files changed, 16 insertions, 3 deletions
diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml
index 9bf8659cb92..6480c575060 100644
--- a/docs-xml/smbdotconf/logging/loglevel.xml
+++ b/docs-xml/smbdotconf/logging/loglevel.xml
@@ -97,11 +97,24 @@
<para>Transaction rollbacks and prepare commit failures are logged under
the dsdb_transaction_audit and a JSON representation is logged under the
- password_json_audit. Logging the transaction details allows the
- identification of password and sam.ldb operations that have been rolled
- back.</para>
+ dsdb_transaction_json_audit. </para>
+ <para>Transaction roll-backs are possible in Samba, and whilst
+ they rarely reflect anything more than the failure of an
+ individual operation (say due to the add of a conflicting record),
+ they are possible. Audit logs are already generated and sent to
+ the system logs before the transaction is complete. Logging the
+ transaction details allows the identification of password and
+ <command moreinfo="none">sam.ldb</command> operations that have
+ been rolled back, and so have not actually persisted.</para>
+ <warning><para> Changes to <command
+ moreinfo="none">sam.ldb</command> made locally by the <command
+ moreinfo="none">root</command> user with direct access to the
+ database are not logged to the system logs, but to the
+ administrator's own console. While less than ideal, any user able
+ to make such modifications could disable the audit logging in any
+ case. </para></warning>
</description>
<value type="default">0</value>
<value type="example">3 passdb:5 auth:10 winbind:2</value>