Disabling DOS Attributes to improve samba browsing performance

[anodos]

The simple fact of the matter is that Windows permissions are more complex than Unix permissions. Windows servers have multiple layers of permissions representing different legacy and current ways of manipulating access controls to shares. These layers include DOS attributes, share permissions (from the days of Windows NT), and NTFS access control lists (ACLs).

DOS attributes consist of 'Read-only, Hidden, System, and Archive', and are visible in Windows if you right-click on a file or folder and hit 'properties'. As is implied in their name, these attributes are from the good old days of DOS. Samba has two different ways of dealing with them. By default and when not configured as an AD domain controller (when an AD DC samba will automatically store DOS attributes as filesystem extended attributes) samba uses the "map" parameters mentioned in the smb.conf manpage. The "map*" parameters work by manipulating the unix file permissions in the following ways:

dos readonly is represented in unix by removing everyone's write bit
dos archive is represented in unix by the user's execute bit
dos system is represented in unix by the group's execute bit
dos hidden is represented in unix by the other's execute bit

The above operations are carried out through chmod. Unfortunately, this has a tendency to mess up ZFS access control lists (ACLs), where the execute bit serves a different purpose (specifically, it maps to the NTFS permission "traverse folder / execute file"). Additionally, since FreeBSD 9.2.1.6 the zfs aclmode is set to "restricted" on CIFS shares with ACL type set to "windows". The "restricted" aclmode prevents people from nuking their ACEs through a drive-by chmod. It also prevents the "map *" parameters from working. Simply put, the "map *" parameters are a no-go if you're using windows ACLs.

Alternatively, samba can store this information in EAs and SECDESCs. This is the way I believe that samba development is headed. Comments in the samba source regarding the "map *" parameters say things like:

I'd like to see the following options go away and always use EAs and SECDESCs

Which makes sense because extended attributes (sometimes abbreveated "EA" or "XATTR") are able to store much more information than just these DOS modes. For instance, samba also stores create time in the DOSATTRIB EA. Extended attributes are necessary for the vfs_streams_xattr module, which provides compatibility with NTFS alternate datastreams (user.DosStream). Filesystem xattrs are important because they allow storing more information than would normally be possible with nfsv4 ACLs.

Unfortunately, extended attributes are sometimes treated like second class citizens. Extended attribute operations appear to be quite slow on FreeBSD 9.x, and every time that you open a directory samba will retrieve the user.DOSATTRIB extended attribute of every file and folder in that directory. This results in very slow uncached browsing via Windows explorer.

One solution to this problem is to prevent samba from storing DOS modes. The way to do this is to add the following "auxiliary parameters" to "Services" -> "CIFS"

Code:

store dos attributes = no
ea support = no
map archive = no
map hidden = no
map system = no
map readonly = no

Unfortunately, your work is not done, as the O'Reilly book on samba notes,

We should warn you that the default value of the map archive option is yes, while the other two options have a default value of no. This is because many programs do not work properly if the archive bit is not stored correctly for DOS and Windows files.

My experience is that this warning still applies, but there is a way to notify programs that DOS attributes cannot be set.

Once you have enabled this parameters, you should use Explorer on a windows client to remove the "special permission" Write attributes by right-clicking on your share, then clicking on "properties" --> "security" --> "advanced" --> "edit" and unchecking the aforementioned permission. This will prevent network scanners and programs that want to write DOS attributes from randomly puking on themselves and your file server (corrupting files during writes and otherwise failing in inexplicable ways).

 

[cyberjock]

I wrote up a topic on this a few months back as iXsystems has a customer with this problem. This can end very badly for people that aren't 1000% percent sure that they do not need DOS attributes at all. Some programs and copy machines will expect to have that permission and will throw an error when they can't set the DOS attributes. ;)

So set these with *serious* consideration.

In-house, a better option is to add more RAM and let the ARC store the info for you.

At home I'm using these settings and these have worked for me for over 2 months. But I know I don't set DOS attributes and as I handle my backups with ZFS replication I also know that I have no backup software that will get upset. ;)

I'm not saying this is a bad idea, just "buyer beware" as you can break lots of things while fixing one thing. For most people, this shouldn't even be a problem.

 

[anodos]

I wrote up a topic on this a few months back as iXsystems has a customer with this problem. This can end very badly for people that aren't 1000% percent sure that they do not need DOS attributes at all. Some programs and copy machines will expect to have that permission and will throw an error when they can't set the DOS attributes. ;)

So set these with *serious* consideration.

In-house, a better option is to add more RAM and let the ARC store the info for you.

At home I'm using these settings and these have worked for me for over 2 months. But I know I don't set DOS attributes and as I handle my backups with ZFS replication I also know that I have no backup software that will get upset. ;)

I'm not saying this is a bad idea, just "buyer beware" as you can break lots of things while fixing one thing. For most people, this shouldn't even be a problem.

Correct, there is a risk involved in setting these. I also fully expect this to be fixed at some time in the future and my post to turn into more samba voodoo that people use to make their server 'get more fasterer' (like setting socket options). That being said, setting ACEs to prevent users from writing attributes should cause things to fail more gracefully than otherwise.

 

[cyberjock]

Well, there's 2 mechanisms at work:

1. Move the DOS attributes out of the extended attributes. The unix permissions bits would then be garbled, which would break other things.
2. From what I'm reading, FreeBSD 10.1 has gotten some love in the extended attributes code and now it is *MUCH* faster. One person claimed it was more than 1000x faster with the new code versus the old code.

There is a bug ticket to do #1 (its not available to the public, sorry). Of course, we might wait for #2 because of the consequences. I don't like to speculate on such things so I leave it to the powers that be to decide and implement what they feel is best. Of course, implementing #1 is not a few lines of code, so expecting it this year is expecting too much. It also isn't super-duper high priority, but we do have a need to resolve this issue because it will only get worse as people get bigger and bigger servers.

 

[anodos]

Well, there's 2 mechanisms at work:

1. Move the DOS attributes out of the extended attributes. The unix permissions bits would then be garbled, which would break other things.
2. From what I'm reading, FreeBSD 10.1 has gotten some love in the extended attributes code and now it is *MUCH* faster. One person claimed it was more than 1000x faster with the new code versus the old code.

There is a bug ticket to do #1 (its not available to the public, sorry). Of course, we might wait for #2 because of the consequences. I don't like to speculate on such things so I leave it to the powers that be to decide and implement what they feel is best. Of course, implementing #1 is not a few lines of code, so expecting it this year is expecting too much. It also isn't super-duper high priority, but we do have a need to resolve this issue because it will only get worse as people get bigger and bigger servers.

(1) is addressed by disabling the map* parameters as I listed above. Specifically, the map* parameters manipulate the execute bits, which with nfsv4 permissions affects the ability of users to traverse folders.

(2) That's what I expected. sys_extattr_get_file, etc. is giant locked in FreeBSD 9.x, probably causing contention and killing performance. For reference see here. FreeBSD 10.x removed the locks. I believe there I saw a patch somewhere that removes giant locks from the 9.x kernel, but I think that's a 'here be dragons' solution.

 

[cyberjock]

I don't think you understand what I'm saying with #1. With the map parameters you aren't moving the attributes out of the extended attributes. You are disabling them completely (and forcing them to "no"). I'm talking about them working properly for Samba users, but not using extended attributes. ;)

 

[Black Ninja]

Is there anything wrong to keep unix permission on datasets even if it used only with cifs share ?

 

[anodos]

Is there anything wrong to keep unix permission on datasets even if it used only with cifs share ?

No. Samba is designed to be cross-platform, which means you can configure permissions through other means. When using unix permissions, I use the "valid users" and "write list" auxiliary parameters to control access to shares. I also "chmod g+s" the root directory of the share (which makes office behave itself better. You will still probably want to disable "store dos attributes" and "ea support", but you do not need to disable the "map *" parameters. You should also verify that the "zfsacl" vfs object isn't enabled on your share with unix permissions.

 

[Black Ninja]

No. Samba is designed to be cross-platform, which means you can configure permissions through other means. When using unix permissions, I use the "valid users" and "write list" auxiliary parameters to control access to shares. I also "chmod g+s" the root directory of the share (which makes office behave itself better. You will still probably want to disable "store dos attributes" and "ea support", but you do not need to disable the "map *" parameters. You should also verify that the "zfsacl" vfs object isn't enabled on your share with unix permissions.

I assume that why I am getting " Cannot get attribute from EA on file..." I ignore it , but I wish didn't have any error messages ? Because of the "ea" support right ?

 

[SMnasMAN]

wow did this make a HUGE difference on a large test system ive been testing FN on. Major improvement, even on a 8x enterprise SSD , striped pool (of-course only when loading a folder via SMB that has many files, or many sub-folders).

Can anyone add some more info on the potential issues of running this? (im def. leaning towards NOT running this as i move out of my test system, as i know SMB aux parameters generally are not a good idea, and i feel like even modern win apps sometimes still use the READ-ONLY and ARCHIVE atributes).

For example, i know quite a few windows backup apps (like SyncBack or Cobian) do have options/settings to "Mark Archive attribute" (and they use this , along with other things, to figure out what to backup during scheduled runs). is this the same Archive attribute referred to above? (or is there a different NTFS Archive attribute?)

If this is the same thing, then i would think that this setting would be pretty dangerous for most FN users? Since many use SMB, and its not crazy to think windows backup apps to or from FN SMB sources (do i have some of this correct or is this really for old windows versions?)

thanks

 

[anodos]

wow did this make a HUGE difference on a large test system I've been testing FN on. Major improvement, even on a 8x enterprise SSD , striped pool (of-course only when loading a folder via SMB that has many files, or many sub-folders).

Can anyone add some more info on the potential issues of running this? (im def. leaning towards NOT running this as i move out of my test system, as i know SMB aux parameters generally are not a good idea, and i feel like even modern win apps sometimes still use the READ-ONLY and ARCHIVE atributes).

For example, i know quite a few windows backup apps (like SyncBack or Cobian) do have options/settings to "Mark Archive attribute" (and they use this , along with other things, to figure out what to backup during scheduled runs). is this the same Archive attribute referred to above? (or is there a different NTFS Archive attribute?)

If this is the same thing, then i would think that this setting would be pretty dangerous for most FN users? Since many use SMB, and its not crazy to think windows backup apps to or from FN SMB sources (do i have some of this correct or is this really for old windows versions?)

thanks

This is quite an old post. Why don't you try the following combination of parameters instead:
1) remove zfsacl and zfs_space vfs modules for the share
2) enable ixnas
3) set following auxiliary parameter: mangled names = illegal

ixnas stores the DOS attributes as file flags (returned in stat() output), which is significantly less expensive than xattr lookups. If you want streams_xattr to work (alternate datastream support), then ea support _must_ be enabled. If you want to set ea support = no then streams_xattr must be removed from the share.

 

[SMnasMAN]

holy *#$@ does that speed smb file listings up! (and i made sure comparision was not ARC vs disk) Thanks so much!

this is still my test FN setup, so i dont have any data i care about on this system

so i tried all 3x, ie remove zfsacl and zfs_space + enable ixnas + aux parameter: mangled names = illegal and then reversed each one to see what was helping-

Can you please tell me if there are any downsides to running these 3x options?
(also i do need to re-start the SMB service after chaning any of these, for them to go into affect, correct?)

one issue though- ixnas , was causing this folder's name to change (when viewed by a win client, in this case win 2016 server ):
(of course, ixnas enabled was the one that gave the MOST speed boost too, so im not sure if i should end up using it though)

root@freenas:/mnt/MIRRORof2x6xRDz2/xprotectARCHIVE # ls
21A0B932-E883-45E2-B42B-4EB4B990A1EA 21A0B932-E883-45E2-B42B-4EB4B990A1EA_unrepairable_tables

 

[anodos]

holy *#$@ does that speed smb file listings up! (and i made sure comparision was not ARC vs disk) Thanks so much!

this is still my test FN setup, so i don't have any data i care about on this system

so i tried all 3x, ie remove zfsacl and zfs_space + enable ixnas + aux parameter: mangled names = illegal and then reversed each one to see what was helping-

Can you please tell me if there are any downsides to running these 3x options?
(also i do need to re-start the SMB service after chaning any of these, for them to go into affect, correct?)

one issue though- ixnas , was causing this folder's name to change (when viewed by a win client, in this case win 2016 server ):
(of course, ixnas enabled was the one that gave the MOST speed boost too, so im not sure if i should end up using it though)

root@freenas:/mnt/MIRRORof2x6xRDz2/xprotectARCHIVE # ls
21A0B932-E883-45E2-B42B-4EB4B990A1EA 21A0B932-E883-45E2-B42B-4EB4B990A1EA_unrepairable_tables

View attachment 30117 View attachment 30118

ixnas will be default in 11.3. If there's an issue with how it's showing filenames, then I need to fix it. I'm not sure why the name would appear incorrect. Can you reliably reproduce the issue?

 

[SMnasMAN]

yes, every time i add/remove ixnas (and then restart SMB service), and reload on the win box the folders name changes.
EDIT: I dont need to stop/start SMB service after add/remove ixnas (or maybe it auto restarts SMB when you click ok? - either way i just now re-verfied after a reboot of the FN box, issue is same)

(FN= Build FreeNAS-11.2-U3 , physical machine not FN as a VM)

lmk what you need from me, i can provide remote access to the FN box and the windows client (no data is on either, as this is all still my test setup b4 i finalize what ill use for good) Or can post/send anything you want/need from me.

I have a milestone NVR app (runs on win10, is ip cctv camera recorder software), that is set to- every night archive the prior days video , TO a SMB mapped drive (from this freenas server) , so that is the folder you are seeing in my images. ( it is a test setup, so i dont care about the video/data)

also Can you please tell me if there are any downsides to removing vs running these 3x SMB modules (zfsacl , zfs_space, and aux parameter: mangled names = illegal) ? (or what is it they do? i tried searching for them, but cant find a clear answer/info. id like to know so i can decide if its functionality i may need when i setup my final FN system. all i could find is that zfsacl is somehow related to how a SMB share will show up if you are also using NFSd on the same datastore, but that does not seem correct or accurate)

thanks, this is really nice of you to spend time improving SMB service for ixsys / FN ! (whether you are an employee or volunteer)

EDIT: with share's settings like this the folder has that long weird name (vs if i remove ixnas, it will show the normal folder name), i have no AUX params on the SMB service itself- the SMB service has the stock , fresh install settings, as ive never messed w them).:

 

[anodos]

yes, every time i add/remove ixnas (and then restart SMB service), and reload on the win box the folders name changes.
EDIT: I don't need to stop/start SMB service after add/remove ixnas (or maybe it auto restarts SMB when you click ok? - either way i just now re-verfied after a reboot of the FN box, issue is same)

(FN= Build FreeNAS-11.2-U3 , physical machine not FN as a VM)

lmk what you need from me, i can provide remote access to the FN box and the windows client (no data is on either, as this is all still my test setup b4 i finalize what ill use for good) Or can post/send anything you want/need from me.

I have a milestone NVR app (runs on win10, is IP cctv camera recorder software), that is set to- every night archive the prior days video , TO a SMB mapped drive (from this freenas server) , so that is the folder you are seeing in my images. ( it is a test setup, so i don't care about the video/data)

also Can you please tell me if there are any downsides to removing vs running these 3x SMB modules (zfsacl , zfs_space, and aux parameter: mangled names = illegal) ? (or what is it they do? i tried searching for them, but can't find a clear answer/info. id like to know so i can decide if its functionality i may need when i setup my final FN system. all i could find is that zfsacl is somehow related to how a SMB share will show up if you are also using NFSd on the same datastore, but that does not seem correct or accurate)

thanks, this is really nice of you to spend time improving SMB service for ixsys / FN ! (whether you are an employee or volunteer)

EDIT: with share's settings like this the folder has that long weird name (vs if i remove ixnas, it will show the normal folder name), i have no AUX params on the SMB service itself- the SMB service has the stock , fresh install settings, as I've never messed w them).:
View attachment 30134

Post output of the following enclosed in [ code ] tags: ls -al /mnt/MIRRORof2x6xRDz2/xprotectARCHIVE

 

[SMnasMAN]

Code:

root@freenas:/mnt/new3uRDz5x3disks # ls -al /mnt/MIRRORof2x6xRDz2/xprotectARCHIVE
total 1713
drwxrwxrwx     4 admin  wheel     4 Mar 22 13:30 .
drwxrwxrwx    12 root   wheel    22 Apr 14 17:10 ..
drwxrwxrwx  3457 admin  wheel  3460 Apr  4 11:22 21A0B932-E883-45E2-B42B-4EB4B990A1EA
drwxrwxrwx     9 admin  wheel     9 Apr  2 03:45 21A0B932-E883-45E2-B42B-4EB4B990A1EA_unrepairable_tables

tks

 

[anodos]

Post output of testparm -s
Then smbclient //127.0.0.1/MIRRORof2x6xRDz2 -U <your username> once you have an interactive SMB session, type 'ls' and post output.

 

[seanm]

Can you please tell me if there are any downsides to removing vs running these 3x SMB modules (zfsacl , zfs_space, and aux parameter: mangled names = illegal) ? (or what is it they do? i tried searching for them, but can't find a clear answer/info. id like to know so i can decide if its functionality i may need when i setup my final FN system.

The VFS modules are documented here: https://www.ixsystems.com/documentation/freenas/11.2/sharing.html#windows-smb-shares

zfs_space: Correctly calculates ZFS space used by the share, including space used by ZFS snapshots, quotas, and resevations. Enabled by default.
zfsacl: Provide ACL extensions for proper integration with ZFS. Enabled by default.

They are both on by default, so that's probably a much better tested configuration.

"mangled names = illegal" is documented here:
https://www.ixsystems.com/community/resources/smb-tips-and-tricks.15/
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

 

[anodos]

The VFS modules are documented here: https://www.ixsystems.com/documentation/freenas/11.2/sharing.html#windows-smb-shares

zfs_space: Correctly calculates ZFS space used by the share, including space used by ZFS snapshots, quotas, and resevations. Enabled by default.
zfsacl: Provide ACL extensions for proper integration with ZFS. Enabled by default.

They are both on by default, so that's probably a much better tested configuration.

"mangled names = illegal" is documented here:
https://www.ixsystems.com/community/resources/smb-tips-and-tricks.15/
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

If ixnas is enabled, then zfs_space and zfsacl should be removed.

 

[seanm]

If ixnas is enabled, then zfs_space and zfsacl should be removed.

That would make a good update to the docs. :)

(Looking forward to ixnas being non-experimental though!)