samba - Jul 2025 - Browsing folders takes time with POSIX ACLs

Hello ...,

We have a file server with ZFS filesystem, NFS and Samba services.
Folder browsing through NFS works fine on Mac and on MS Windows clients.
However, when we access it using SMB (Samba) on MS Windows clients, the
browsing is very slow.
Each folder takes at least 2 - 5 seconds to open. This happens even with
folders with just a couple of files / subfolders inside.

We have no issues opening or copying files through SMB.

After investigating, we found that it is due to POSIX ACLs. If we remove
the ACL entries, we are able to browse the folders quickly.
We have a maximum of 7 ACL group entries only on any folder.
We have joined the server to the AD Domain, and each user and group has a
UID / GID configured on AD.

Client OS: MS Windows 11 and MS Windows 10.

Server OS Version: Rocky Linux 9.5 (Blue Onyx)
Linux Kernel Version: 5.14.0-503.14.1.el9_5.x86_64

ZFS Packages and Version:
zfs-release-2-3.el9.noarch
libzfs5-2.1.16-1.el9.x86_64
zfs-2.1.16-1.el9.x86_64
kmod-zfs-2.1.16-1.el9.x86_64

Samba Server Packages and Version:
samba-common-4.20.2-2.el9_5.noarch
samba-common-libs-4.20.2-2.el9_5.x86_64
samba-client-libs-4.20.2-2.el9_5.x86_64
samba-libs-4.20.2-2.el9_5.x86_64
samba-dcerpc-4.20.2-2.el9_5.x86_64
samba-winbind-modules-4.20.2-2.el9_5.x86_64
samba-ldb-ldap-modules-4.20.2-2.el9_5.x86_64
samba-common-tools-4.20.2-2.el9_5.x86_64
samba-winbind-4.20.2-2.el9_5.x86_64
samba-4.20.2-2.el9_5.x86_64
samba-winbind-clients-4.20.2-2.el9_5.x86_64

Samba Server Configuration:
--------------------------------------------------------------------
[global]

workgroup = MUM
server string = stg1.mum.xxxxx.com

netbios name = STG1

log file = /var/log/samba/log.%m
max log size = 50

        client signing = off
        client use spnego = yes
        kerberos method = system keytab

        security = ads
        realm = MUM.XXXXX.COM

idmap config * : backend = tdb
idmap config * : range = 3000 - 7999
idmap config MUM : backend = ad
idmap config MUM : range = 10000 - 20000
idmap config MUM : schema_mode = rfc2307
winbind offline logon = true
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind refresh tickets = true
winbind nss info = rfc2307
allow trusted domains = No
username level = 3

load printers = yes
cups options = raw

socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
min receivefile size = 16384

[share]
comment = shared folder on stg1
path = /stg1/share
public = no
writable = yes
create mask = 0664
directory mask = 0775
printable = no
admin users = administrator,it_admin
nt acl support = yes
delete readonly = yes
oplocks = yes
case sensitive = no
veto files = /._*/.DS_Store/
delete veto files = yes
ea support = no
store dos attributes = no
--------------------------------------------------------------------
*(I tried disabling - create mask, directory mask, nt acl support, ea
support, store dos attributes - it didn't help.)*

ZFS filesystem is mounted with 'casesensitvity=insensitive' option to
support MS Windows clients.

ls -l
--------------------------------------------------------------------
drwxrwxr-x+ 2 root root 2 Jan 24 12:46 Work_Files/
--------------------------------------------------------------------

ACL Entries:
--------------------------------------------------------------------
# file: Work_Files/
# owner: root
# group: root
user::rwx
group::rwx
group:aaa:r-x
.
.
.
group:bbb:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:aaa:r-x
.
.
.
default:group:bbb:rwx
default:mask::rwx
default:other::r-x
--------------------------------------------------------------------


What could be the issue?
Kindly suggest.

Regards,


Indivar Nair

This may be more to do with ZFS than samba where you mention it is due 
to the posix ACLs and turning them off improves the listing. You could 
look at using a special vdev on nvme to offload all metadata to, this 
should improve listing operations significantly. It would require you to 
rewrite the data but it basically stores all metadata for the pool on 
nvme instead. At least in my case though we were dealing with dirs with 
millions of files in them though.

Regards,

Bailey Allison
Service Team Lead
45Drives, Ltd.
866-594-7199 x868

On 2025-07-16 15:35, Indivar Nair via samba wrote:
> Hello ...,
>
> We have a file server with ZFS filesystem, NFS and Samba services.
> Folder browsing through NFS works fine on Mac and on MS Windows clients.
> However, when we access it using SMB (Samba) on MS Windows clients, the
> browsing is very slow.
> Each folder takes at least 2 - 5 seconds to open. This happens even with
> folders with just a couple of files / subfolders inside.
>
> We have no issues opening or copying files through SMB.
>
> After investigating, we found that it is due to POSIX ACLs. If we remove
> the ACL entries, we are able to browse the folders quickly.
> We have a maximum of 7 ACL group entries only on any folder.
> We have joined the server to the AD Domain, and each user and group has a
> UID / GID configured on AD.
>
> Client OS: MS Windows 11 and MS Windows 10.
>
> Server OS Version: Rocky Linux 9.5 (Blue Onyx)
> Linux Kernel Version: 5.14.0-503.14.1.el9_5.x86_64
>
> ZFS Packages and Version:
> zfs-release-2-3.el9.noarch
> libzfs5-2.1.16-1.el9.x86_64
> zfs-2.1.16-1.el9.x86_64
> kmod-zfs-2.1.16-1.el9.x86_64
>
> Samba Server Packages and Version:
> samba-common-4.20.2-2.el9_5.noarch
> samba-common-libs-4.20.2-2.el9_5.x86_64
> samba-client-libs-4.20.2-2.el9_5.x86_64
> samba-libs-4.20.2-2.el9_5.x86_64
> samba-dcerpc-4.20.2-2.el9_5.x86_64
> samba-winbind-modules-4.20.2-2.el9_5.x86_64
> samba-ldb-ldap-modules-4.20.2-2.el9_5.x86_64
> samba-common-tools-4.20.2-2.el9_5.x86_64
> samba-winbind-4.20.2-2.el9_5.x86_64
> samba-4.20.2-2.el9_5.x86_64
> samba-winbind-clients-4.20.2-2.el9_5.x86_64
>
> Samba Server Configuration:
> --------------------------------------------------------------------
> [global]
>
> workgroup = MUM
> server string = stg1.mum.xxxxx.com
>
> netbios name = STG1
>
> log file = /var/log/samba/log.%m
> max log size = 50
>
>          client signing = off
>          client use spnego = yes
>          kerberos method = system keytab
>
>          security = ads
>          realm = MUM.XXXXX.COM
>
> idmap config * : backend = tdb
> idmap config * : range = 3000 - 7999
> idmap config MUM : backend = ad
> idmap config MUM : range = 10000 - 20000
> idmap config MUM : schema_mode = rfc2307
> winbind offline logon = true
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nested groups = Yes
> winbind refresh tickets = true
> winbind nss info = rfc2307
> allow trusted domains = No
> username level = 3
>
> load printers = yes
> cups options = raw
>
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
> min receivefile size = 16384
>
> [share]
> comment = shared folder on stg1
> path = /stg1/share
> public = no
> writable = yes
> create mask = 0664
> directory mask = 0775
> printable = no
> admin users = administrator,it_admin
> nt acl support = yes
> delete readonly = yes
> oplocks = yes
> case sensitive = no
> veto files = /._*/.DS_Store/
> delete veto files = yes
> ea support = no
> store dos attributes = no
> --------------------------------------------------------------------
> *(I tried disabling - create mask, directory mask, nt acl support, ea
> support, store dos attributes - it didn't help.)*
>
> ZFS filesystem is mounted with 'casesensitvity=insensitive' option
to
> support MS Windows clients.
>
> ls -l
> --------------------------------------------------------------------
> drwxrwxr-x+ 2 root root 2 Jan 24 12:46 Work_Files/
> --------------------------------------------------------------------
>
> ACL Entries:
> --------------------------------------------------------------------
> # file: Work_Files/
> # owner: root
> # group: root
> user::rwx
> group::rwx
> group:aaa:r-x
> .
> .
> .
> group:bbb:rwx
> mask::rwx
> other::r-x
> default:user::rwx
> default:group::rwx
> default:group:aaa:r-x
> .
> .
> .
> default:group:bbb:rwx
> default:mask::rwx
> default:other::r-x
> --------------------------------------------------------------------
>
>
> What could be the issue?
> Kindly suggest.
>
> Regards,
>
>
> Indivar Nair

On Thu, 17 Jul 2025 00:05:56 +0530
Indivar Nair via samba <samba at lists.samba.org> wrote:
> Hello ...,
> 
> We have a file server with ZFS filesystem, NFS and Samba services.
> Folder browsing through NFS works fine on Mac and on MS Windows
> clients. However, when we access it using SMB (Samba) on MS Windows
> clients, the browsing is very slow.
> Each folder takes at least 2 - 5 seconds to open. This happens even
> with folders with just a couple of files / subfolders inside.
> 
> We have no issues opening or copying files through SMB.
> 
> After investigating, we found that it is due to POSIX ACLs. If we
> remove the ACL entries, we are able to browse the folders quickly.
> We have a maximum of 7 ACL group entries only on any folder.
> We have joined the server to the AD Domain, and each user and group
> has a UID / GID configured on AD.
> 
> --------------------------------------------------------------------
> [global]
> 
> workgroup = MUM
> server string = stg1.mum.xxxxx.com
> 
> netbios name = STG1
> 
> log file = /var/log/samba/log.%m
> max log size = 50
> 
>         client signing = off
>         client use spnego = yes
>         kerberos method = system keytab
> 
>         security = ads
>         realm = MUM.XXXXX.COM
> 
> idmap config * : backend = tdb
> idmap config * : range = 3000 - 7999
> idmap config MUM : backend = ad
> idmap config MUM : range = 10000 - 20000
> idmap config MUM : schema_mode = rfc2307
> winbind offline logon = true
> winbind enum users = Yes
> winbind enum groups = Yes
I wonder if it is because you have the totally unnecessary 'winbind
enum' lines set, could it be that winbind is looking up all the users
and groups ?
Try removing them, Samba will work without them.

Rowland