samba - Aug 2010 - Throughput problem with Samba 3.3.4 over VPN

Hi,

I am currently in the process of improving performance for a Samba 3.3.4
server on FreeBSD 7.0. The samba server works great when mounted from
another machine located on the same network but when I try to use it
over our corporate VPN (OpenVPN with tap interface) the throughput won't
go over 4,5 Mbps. The ping between the samba client and the server is
around 20ms. I have used a linux machine on amazon's elastic cloud to
connect to the corporate VPN and mount the samba share located on our
web host. There is at least 20 Mbps of bandwidth available between the
two in both ways.

I have also tested the throughput from our Montreal office where we have
a 10 Mbps download. I have tested with fedora, windows 7 and windows xp
and I can't get more than 4 or 5 Mbps there.

Is this situation to be expected or should I be getting better throughput?

Here is my smb.conf file:

[global]
    dos charset = 850
    unix charset = ISO8859-1
    workgroup = CIVITAS
    netbios name = PDC-SRV
    server string = Samba Server
    passdb backend = ldapsam:ldap://127.0.0.1/
    log level = 1
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 50
    time server = Yes
    deadtime = 120
    #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    # Ajoute par Ludovic pour ameliorer la performance de Samba
    # tire de https://calomel.org/samba_optimize.html
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536
SO_SNDBUF=65536
    use sendfile = yes
    load printers = No
    name resolve order = wins lmhosts host bcast
    ;add user script = /usr/local/sbin/smbldap-useradd -m "%u"
    ;delete user script = /usr/local/sbin/smbldap-userdel -r "%u"
    ;add group script = /usr/local/sbin/smbldap-groupadd "%g"
    ;delete group script = /usr/local/sbin/smbldap-groupdel "%g"
    ;add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u"
"%g"
    ;delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
    ;set primary group script = /usr/local/sbin/smbldap-usermod -g
"%g" "%u"
    ;add machine script = /usr/local/sbin/smbldap-useradd -W "%u"
    add user script               = /usr/local/sbin/smbldap-useradd -m %u
    delete user script            = /usr/local/sbin/smbldap-userdel %u
    add group script              = /usr/local/sbin/smbldap-groupadd -p %g
    delete group script           = /usr/local/sbin/smbldap-groupdel %g
    add user to group script      = /usr/local/sbin/smbldap-groupmod -m
%u %g
    delete user from group script = /usr/local/sbin/smbldap-groupmod -x
%u %g
    set primary group script      = /usr/local/sbin/smbldap-usermod -g %g %u
    add machine script            = /usr/local/sbin/smbldap-useradd -w %m"
    logon script = %U.bat
    logon path = \\%L\profiles\%U
    logon drive = H:
    logon home = \\%L\%U
    domain logons = Yes
    os level = 65
    preferred master = Yes
    domain master = Yes
    wins support = Yes
    ldap admin dn = cn=Manager,dc=bgjlr,dc=com
    ldap delete dn = Yes
    ldap group suffix = ou=group
    ldap machine suffix = ou=machines
    ldap passwd sync = yes
    ldap suffix = dc=bgjlr,dc=com
    ldap ssl = no
    ldap user suffix = ou=People
    nt acl support = No
    map acl inherit = Yes
    case sensitive = No
    veto files
/.snap/*.bat/*.cmd/*.com/*.cpl/*.exe/*.hta/*.inf/*.ins/*.isp/*.msi/*.msp/*.pif/*.reg/*.scr/*.shs/*.vb/*.vbs/*.wsc/
    store dos attributes = Yes
    wide links = No
    dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
    server signing = auto
        server schannel = Auto

[homes]
    comment = Home directories
    valid users = %S
    read only = No
    create mask = 0700
    directory mask = 02700
    browseable = No
    root preexec = /usr/local/bin/mkhome %u

[netlogon]
    comment = Network Logon Service
    path = /srv/home/samba/netlogon/
    browseable = No
    root preexec = /srv/home/samba/genlogon.pl %U %G %L

[profiles]
    path = /srv/home/samba/profiles
    valid users = %U, "@Domain Admins"
    force user = %U
    read only = No
    create mask = 0600
    directory mask = 0700
    profile acls = Yes
    hide files = /desktop.ini/ntuser.ini/NTUSER.*/
    browseable = No
    csc policy = disable
    guest ok = Yes

[public]
    comment = Public Stuff
    path = /srv/groupes/public
    read only = No
    guest ok = Yes

[public2]
    comment = Public Stuff
    path = /data
    read only = No
    guest ok = Yes

[groups]
    comment = All groups
    path = /srv/groupes
    read only = No
    inherit permissions = Yes
    inherit acls = Yes
    profile acls = Yes

[admin]
    comment = Pour administration
    path = /srv/admin
    read only = No
    inherit permissions = No
    valid users = kimmtl syla

Thanks for the input,
Ludovic

On Thu, Aug 05, 2010 at 10:06:40AM -0400, Ludovic Rouse-Lamarre
wrote:
> I am currently in the process of improving performance for a Samba 3.3.4
> server on FreeBSD 7.0. The samba server works great when mounted from
> another machine located on the same network but when I try to use it
> over our corporate VPN (OpenVPN with tap interface) the throughput
won't
> go over 4,5 Mbps. The ping between the samba client and the server is
> around 20ms. I have used a linux machine on amazon's elastic cloud to
> connect to the corporate VPN and mount the samba share located on our
> web host. There is at least 20 Mbps of bandwidth available between the
> two in both ways.
> 
> I have also tested the throughput from our Montreal office where we have
> a 10 Mbps download. I have tested with fedora, windows 7 and windows xp
> and I can't get more than 4 or 5 Mbps there.
> 
> Is this situation to be expected or should I be getting better throughput?
Try the smbclient get command. That should be better.
If it is, everything else is pretty much a client problem.

Volker