Hi, I need to set ACLs on a samba server, and are using icacls in Win7. It takes several hours to edit an ACL with inheritance, affecting a directory tree with 300,000 files. Server cpu > 70%, client cpu < 20%. Is there a way how I can speed this up? Using "setfattr -R" in Linux does it in approximately 2 minutes, but I want real Windows ACLs. There are 300.000 files in a directory tree. Client and Server are Core2duo with 3 GHz and 4 GB RAM. This is Samba 4.1.6 running in Ubuntu 14.04 as NT4-PDC with "vfs objects = acl_xattr" and "map acl inherit = true". Filesystem ext4 with options rw,noexec,noatime,acl,user_xattr. I could run it over night, but I will likely have to add ACLs later for one of the larger subdirectories. thanks, Klaus> top - 17:06:55 up 7 days, 5:45, 2 users, load average: 0,81, 0,79, 0,75 > Aufgaben: 102 total, 3 running, 99 sleeping, 0 stopped, 0 zombie > %Cpu(s): 14,0 be, 23,4 sy, 0,0 ni, 61,9 un, 0,5 wa, 0,0 hi, 0,2 si, 0,0 st > KiB Mem: 3047384 total, 1010856 used, 2036528 free, 582592 buffers > KiB Swap: 9764860 total, 15552 used, 9749308 free. 154744 cached Mem > > PID BENUTZER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 4274 root 20 0 39976 17428 14056 S 72,9 0,6 124:21.74 smbd
Klaus Hartnegg wrote:> Hi, > > I need to set ACLs on a samba server, and are using icacls in Win7. > > It takes several hours to edit an ACL with inheritance, affecting a > directory tree with 300,000 files. Server cpu > 70%, client cpu < 20%. > Is there a way how I can speed this up? > > Using "setfattr -R" in Linux does it in approximately 2 minutes, but I > want real Windows ACLs.--- I have a similar setup and similar performance. One of the things that is hitting this situation is that Windows is having to change the ACL's on each file. Samba, on the server, is only running at about 45% usage -- so it seems most of the time is spent waiting for Windows to issue the commands. The only way to make this faster is to eliminate the "per-item" cost for each round-trip. I.e. It would seem that a server based util to set all the items would be necessary. The question then becomes what are the differences between what setfattr does and "real Windows ACLs". I'm not sure that the latter is possible if the real acl's on the server are POSIX (or, possibly more problematic, "solaris") ACL's. Some issues that would seem to need addressing: symbolic links for ACL's so files could point to some parent object for their ACL -- an issue that I think needs supporting apart from Samba support (i.e. who wants 300K copies of the same ACL, 1 on each file, if 1 will do?) and the issue of allowing "group" ownership. Group ownership is a real problem on *nix, since many apps restrict/disallow group ownership as part of their function (ex: ssh, sendmail). At the very least, requiring those utils to stop dictating system security policy would be needed -- for example, I can set "root's" home dir to be owned by group ADMIN, but that will disable 'ssh' functionality for root -- not desirable. It seems the best "stop-gap" measure might be a util that runs on the server that could allow mass setting of ACL's on a group of files. But that will incur 300K copies of an ACL that need to be stored in your case, though given that it "only" takes 2 minutes to set on linux, that might not be a deal breaker. How would you see samba supporting such features? I just threw out some ideas off the top of my head -- since, as I stated at the beginning, I have noted similar problems.