Samba user quota implementation question
krishna.harathi at storagecraft.com
Thu May 28 19:50:59 UTC 2020
Thanks to all for responses, all your comments are very useful.
Rowland - I cleaned up smb.conf as you suggested but resulted in no change or improvement. I also have "winbind enum users = yes" and "winbind enum groups = yes" as pointed out by Andrew, those were disabled to avoid the problem Uri brought up. BTW, "Public" and "TestQ" shares are not NFS exports and main focus for setting user quota is on the non-public "TestQ" share.
Uri - thanks for providing insight and confirming what I was inferring as how quota enumeration was implemented. Even if I get the enumeration to work including AD Domain, I can see that it will end up in the scalability problem.
As a first-cut workable implementation, I am leaning towards making appropriate local user uid and group gid entries in the local files with a successful set quota,
containing the scalability problem for now and avoiding adding/changing Samba implementation. I have to think a bit more on the implication of adding those entries, especially on the life-cycle and cleanup.
Any further comments on this is much appreciated as always.
On 5/28/20, 1:16 AM, "Uri Simchoni" <uri at samba.org> wrote:
***EXTERNAL SENDER. Only open links and attachments from known senders. DO NOT provide your username or password.***
On 5/27/20 10:42 PM, Krishna Harathi via samba-technical wrote:
> Our OneXafe FS supports share/fs level quota using smb.conf “set quota command” and “get quota command”.
> We are currently extending support to user-level quotas using the same interface, when Samba smbd is an AD DC member.
> Setting user quota from a windows client is working as expected. But once quota is set, none of the users are listed in the quota’s pop-up window, so cannot delete or modify quota properties. Moreover, creating a new quota entry for the same user is generating a “quota entry already exists for this user” error.
> By tracing get/set requests to our file server, I see that our FS server is receiving a get request for Samba for every user entry in the local password file, but none for the UID of the DC member user. But I do see a default quota get request for the group GID.
> The problem seems to be that the get/set command interface does not obviously support a “list” user quota api to the hosting FS.
> Questions on this – We can post and manage user entry (host-local uid/gid) corresponding to the DC user sid/gid whenever a “set user quota” is received. I did verify that when an entry is made manually, windows user quota workflow behaves as expected. Is the problem assumption correct and is this a way to implement? Is there a better way, given the constraints?
> We are using Samba 4.7.11 patched with https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.samba.org%2Fshow_bug.cgi%3Fid%3D13553%23c17&data=01%7C01%7Ckrishna.harathi%40storagecraft.com%7Cc747a8371bc848272eef08d802df7144%7C99f4e3c9bed5443dbd532b3f22d4eddf%7C0&sdata=ordaEXaie8yET7RZr73sELEA9itNYkKwveU%2BYYD29lk%3D&reserved=0 fix for 4.7.
> Any help is this issue is much appreciated in advance.
> Krishna Harathi
I believe Samba's quota implementation is lacking in that regard. I
guess none has ever taken the time to implement it properly, and the
current implementation of enumerating quota entries is at POC state
(meaning that it understands the SMB protocol but the backend is not
The correct way to enumerate quota settings on <something> (be it a
disk, a share, a folder, ...) is to look at the <something> and see what
quota settings are there. Typically we won't find many quota settings -
maybe one per group, at most one per user which actually using the
Samba on the other hand, tries to enumerate all users, and check for
each user whether there are quota setting for it. This approach doesn't
scale well in an AD domain which has many more users than users of the
<something> in question. If it was up to me, we'd remove the ability of
winbindd to enumerate all domain users (we actually tried that once but
got a backlash and reverted the change).
So what I'd do is come up with a new VFS API call to enumerate quota
entries, have the default implementation extend the
sys_get_quota()/sys_set_quota() functions with a sys_list_quotas() or
something similar, and then write a VFS module for my custom file system
(or a VFS module that calls a script if I was worried about GPL).
I hope that helps,
More information about the samba-technical