[Samba] long delays with file enumeration & listing in large data storage environment

CaptainTrips28 captaintrips28 at gmail.com
Wed Feb 8 01:07:46 UTC 2023

After joining a Samba server to domain using either Winbind or using
ADBridge (PBIS), enumeration time of listing files from windows file
explorer for that share is roughly (9) seconds for a folder containing 30k
files consisting of both large (upto 15GB in size) and small size files (as
low as KB's). Intitially, without setting logging to "0" and disabling smb
max server protocol in smb.conf (which is now defaulting to smb3_11),
listing of these files would take up to 45 seconds. So we have already
drastically cut down this time with smb.conf option corrections.

As ~9 seconds may seem trivial to enumerate 30k files, this is only in a
test scenario with randomly generated junk files. In our production
scenario, we have folders frequently containing upwards of 100k and 250k
files and requirements for folders that may contain upto potentially 1
million files of various sizes and filenames consisting of upper and
lowercase characters. Assuming the average of around 200k files in the prod
scenario, the enumeration time would be around 1min10secs to list all
files. This enumeration delay is causing issues with our end users.

Initially, prior to joining the samba server to domain, using just a local
smb-enabled account, testing access time from windows file explorer to this
share of 30k files for enumeration was instaneous (a second or less).
However, in production, windows AD users are accessing the shares which
have AD owners and groups assigned to the shares folders and permissions
based on their level of access.

We have tried numerous config options and variations of options
enabled/disabled, trying local storage mountpoints on the samba server vs.
remote mountpoints via NFS and SSHFS. We've tried numerous hardware types:
a physical HPE Gen11 DL380 system acting the samba server, a virtual samba
server within vsphere, moving hardware around on network appliances to
reduce hops and improve throughput. Ipv6 has been disabled, all ports are
open as required, no antivirus scan interference. From the windows side,
smb client settings have been tested at various options, confirmed netbios
is disabled, etc. We've also tried limiting the samba server to one DC and
ignoring all irrelevant domains. No matter the test scenario, once domain
joined, the absolute lowest enumeration time we can achieve is the (9)
seconds until file listing is complete and that is pretty universal outcome
in each of the above mentioned testing scenarios.

- Tried both RHEL 8.4 and 8.6 (FIPS disabled, SELinux permissive and
firewalld off)

- Samba versions 4.13.3 (rhel 8.4) and 4.15.5 (rhel 8.6) have both been
tried with identical outcome, all pulled from RH satellite repos)

- We've tried with stigs both applied and unapplied, as well as folder/file
encryption both on and off (no difference in performance).

- PBIS/ADBridge was tried with both versions 22.2.x and 22.3.x (latest)

- Testing share access from Windows 2019 Server Datacenter (Build 17763).
Our user VDA sessions would also being accessing the shares from the same.

- Production environment is enterprise scale; hundreds of users/thousands
of folders/millions of files

- Share enumeration speed is the same if accessing by either mapped drive,
file explorer // access, or symbolically linking to the share

Any suggestions/recommendations on how to reduce or eliminate enumeration
and listing times for these shares is certainly appreciated.


CURRENT SMB.CONF   (I've had to replace the domain/share/host details for



        security = ADS

        workgroup = DOMAIN

        realm = DOMAIN

        machine password timeout = 0

        idmap config * : backend = tdb

        idmap config * : range = 3000-7999

        idmap config DOMAIN.COM:backend = ad

        idmap config DOMAIN.COM:schema_mode = rfc2307

        idmap config DOMAIN.COM:range = 1617000000-1617999999

        idmap config DOMAIN.COM:unix_nss_info = yes

        map acl inherit = yes

        store dos attributes = yes

        log level = 0

        dns proxy = yes

        hostname lookups = yes

        kerberos method = system keytab

        log file = /var/log/samba/log.%m

        smb encrypt = yes

        server signing = auto

        client signing = auto

        vfs objects = acl_xattr

        nt acl support = yes

        netbios name = testhost01


        path = /mountpoint/Development/OrgName/OrgGroup/OrgSubgroup/TEST

        writable = yes

        browsable= yes

        read only = no

        create mask = 0770

        force create mode = 0770

        directory mask = 0775

        hide unreadable = yes

#        force group = OrgGroupTest at domain.com

#        valid users = +domain.com\"OrgGroupTest"




*(not currently applied as these options either made no difference or
decreased performance/enumeration):

(global options we've tried various combinations of. We are aware these
options are not recommended by modern kernel standards, but tried them

#        username map = /etc/samba/user.map

#        server multi channel support = yes

#        aio read size = 16384

#        aio write size = 16384

#        aio max threads = 100

#        allocation roundup size = 1048576

#        interfaces = ";speed=10000000000,capability=RSS"

#        winbind max domain connections = 10

#        winbind expand groups = 1

#        socket options = SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY

#        min receivefile size = 16384

#        use sendfile = true

#        aio read size = 16384

#        aio write size = 16384

#        aio write behind = true

(share options we've tried with no performance improvement even when
testing lowercase files only)

#        case sensitive = true

#        default case = lower

#        preserve case = no

#        short preserve case = no

More information about the samba mailing list