[Samba] Changing Windows permissions runs very slow

Andrew Bartlett abartlet at samba.org
Tue Mar 13 06:12:46 UTC 2018

On Tue, 2018-03-13 at 00:27 -0400, Ken McDonald via samba wrote:
> Is it normal for changing of Windows ACL permissions to run very slow? 
> I've tried running perm changes across a lot of files (like 1TB) in user 
> directories by interactive session from a domain-connected Windows 
> desktop AND from the command line on the Samba server itself like this
> find install -type f -exec samba-tool ntacl set 
> "O:LAG:S-1-22-2-0D:AI(A;ID;0x001f01ff;;;S-1-5-21-1719490861-3494379899-4222726569-1105)(A;ID;0x001200a9;;;S-1-5-21-1719490861-3494379899-4222726569-1106)(A;ID;0x001200a9;;;DU)(A;ID;0x001f01ff;;;DA)" 
> {} \;

The implementation of samba-tool ntacl is known to be quite
inefficient.  There are a lot of repeated calls to winbind and even in
the 'sysvolreset' subcommand (which could share the internal connection
setup) this isn't implemented well. 

> While I feel like the command-line version is running faster, but 
> methods seem to take a very long time, like days.
> When I monitor the Samba server utilization while doing the interactive 
> method, a sole smbd process runs at about 90-100%, which I suppose is 
> expected because it's running across a share and I guess smbd is not 
> going to run on multiple cores.


> When I monitor the Samba server while doing the local command-line 
> version, no process seems to be running at high utilization and the 
> drives are barely lighting up. This is all on a Dell dual-cpu xeon 
> server with 32gb ram and a bunch of raid drives. I realize the 
> samba-tool command is being repeatedly executed as the find recurses, 
> but I would have expected a much more lively server while this was running.
> Seems like the perm changes take a really long time and I'm curious if 
> something is wrong on my end. The Samba server is the sole server in the 
> domain and also running DC role. I realize this is not the ideal 
> configuration for the file server role.

Sadly no, this has been seen elsewhere.  We just haven't had time to
look into it (no pun intended). 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list