TLDR:
- Identify Duplicate Config: Used
testparm -svto reveal duplicate share configurations (“ShareA” & “ShareA.20240628”).- Locate Files: Found configuration files in
/etc/samba/shares.conf.d.- Remove Old Config: Moved the older configuration file (“ShareA.20240628”) out of
/etc/samba/shares.conf.d.- Remove Include Line: Deleted the corresponding
includeline from/etc/samba/shares.conf.- Restart Samba: Restarted the Samba service.
- Verify: Confirmed correct configuration with
testparm -sv.
Problem:
After configuring the network recycle bin feature for a Samba share, and applying the necessary Samba attributes, a restart of the Samba service was performed to activate the changes. Shortly after, users reported unexpectedly gaining access (rwx) to areas within the share they should not have access to.
Solution:
An investigation using testparm -sv revealed that the affected share, designated as “ShareA”, contained the attribute “force group = Domain Admins”. Furthermore, the share “ShareA” and “ShareA.20240628” appeared within the include lines. The inclusion process occurs via the /etc/samba/shares.conf file, which is generated by the listener module. Both “ShareA” and “ShareA.20240628” had their respective configuration files located under /etc/samba/shares.conf.d, both pointing to the same directory: /var/daten/shareadata. This indicated a duplicate/overlapping configuration for the same directory. The listener module detected both configuration files and included them in the /etc/samba/shares.conf.
After moving the (older) configuration file “ShareA.20240628” out of the /etc/samba/shares.conf.d directory, removing the line “include = /etc/samba/shares.conf.d/ShareA.20240628” from the /etc/samba/shares.conf file, and restarting the Samba service, the share “ShareA” was correctly outputted by testparm -sv with the intended configuration parameters (without the “force group = Domain Admins” attribute).
Root Cause:
The issue stemmed from having multiple, overlapping configuration files for the same shared directory. The listener module included both files into the final /etc/samba/shares.conf, leading to the unintended application of the “force group = Domain Admins” setting due to the combined configuration.