[Samba] settings ACLs is slooooow

Linda W samba at tlinx.org
Tue May 20 12:49:57 MDT 2014

Klaus Hartnegg wrote:
> Hi,
> I need to set ACLs on a samba server, and are using icacls in Win7.
> It takes several hours to edit an ACL with inheritance, affecting a 
> directory tree with 300,000 files. Server cpu > 70%, client cpu < 20%.
> Is there a way how I can speed this up?
> Using "setfattr -R" in Linux does it in approximately 2 minutes, but I 
> want real Windows ACLs. 
        I have a similar setup and similar performance.  One of the things
that is hitting this situation is that Windows is having to change the
ACL's on each file.  Samba, on the server, is only running at about 45%
usage -- so it seems most of the time is spent waiting for Windows to
issue the commands.

        The only way to make this faster is to eliminate the "per-item" cost
for each round-trip.  I.e. It would seem that a server based util to set
all the items would be necessary.

        The question then becomes what are the differences between what
setfattr does and "real Windows ACLs".  I'm not sure that the latter is
possible if the real acl's on the server are POSIX (or, possibly more
problematic, "solaris") ACL's.

        Some issues that would seem to need addressing: symbolic links for
ACL's so files could point to some parent object for their ACL -- an issue
that I think needs supporting apart from Samba support (i.e. who wants
300K copies of the same ACL, 1 on each file, if 1 will do?)  and the issue
of allowing "group" ownership.

        Group ownership is a real problem on *nix, since many apps
restrict/disallow group ownership as part of their function (ex: ssh,
sendmail).  At the very least, requiring those utils to stop dictating
system security policy would be needed -- for example, I can set "root's"
home dir to be owned by group ADMIN, but that will disable 'ssh'
functionality for root -- not desirable.

        It seems the best "stop-gap" measure might be a util that runs 
on the
server that could allow mass setting of ACL's on a group of files.  But
that will incur 300K copies of an ACL that need to be stored in your case,
though given that it "only" takes 2 minutes to set on linux, that might
not be a deal breaker.

        How would you see samba supporting such features?  I just threw out
some ideas off the top of my head -- since, as  I stated at the beginning,
I have noted similar problems.

More information about the samba mailing list