Solved

What is the most optimal samba config for speed and browsing?

Posted on 2011-02-14
9
1,248 Views
Last Modified: 2013-12-02
I've read some experts advise (IT4SOHO at EE included) that mention if you have a samba network with Win 2000 clients or later then you can use this in your smb.conf file.
smb ports = 445
Apparently this is more efficient (faster?) because the packets don't have the NetBIOS encapsulation overhead, and has helped some people minimise lag when accessing network shares.  Though some users reported setting smb ports to 139 helped too.

?Confused?
HERE IS MY SCENARIO
A single samba server (samba-3.0.36-0.5.5) environment which is a dns server as well, 2 x Win XP Pro, 2 x Vista and 2 x Win 7 Pro pc's....what is the most optimal setup for speed.
Is it recommended to disable netbios on all the pc's?
Should I bother with a WINS server (wins support = yes in smb.conf) at all?
If the server has an entry in dns then all the pc's can still access by name right, so why bother with WINS?
For performance, set smb ports = 445 in smb.conf. Right?

If I did have WINS turned on at the samba server, then to populate the WINS database, netbios needs to be enabled and all pc's pointed to it.  But in this case can I still use "smb ports = 445", or will that break browsing?



0
Comment
Question by:blokeman
  • 5
  • 3
9 Comments
 
LVL 14

Assisted Solution

by:pablouruguay
pablouruguay earned 100 total points
Comment Utility
disable netbios maybe increment the speed but really a LIttle increment.
Disable Wins

Here you have 2 links refer that.

https://calomel.org/samba_optimize.html

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/speed.html
0
 

Author Comment

by:blokeman
Comment Utility
Those links are pretty good, but none of them mention ports = 445.

So maybe the best way so far is to disable NetBIOS (and browsing), and use 'ports' on the server
In smb.conf:
disable netbios = yes
# we do not need netbios broadcasts for the windows shares so we can disable it. Our clients will be
# told where the share is located. Clients that only support netbios won't be able to see your samba
# server when netbios support is disabled.
ports = 445

and then also disable Netbios (and lmhosts lookup) on the Win pc's as well.  So then the only way they can resolve names is by DNS.

I suppose if netbios is disabled on Windows pc's then the netbios nodetype becomes irrelevant as well.

Anyone else with specific thoughts on the merit of using
ports 445

0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
Please read the article:

http://www.experts-exchange.com/A_3545.html

which explains some SAMBA settings to improve performance for Windows Vista/7 environments.

Dan
IT4SOHO
0
 

Author Comment

by:blokeman
Comment Utility
Hi Dan
I had read that fantastic article previously.  You are a very concise and articulate writer!
I've now read it again, and have a question...

TURNING OFF THE OLD NETBIOS PORTS.
Is this best achieved just at the server with :
ports = 445
disable netbios = ye
s  <--- Is this even necessary if already using ports = 445?
Is it recommended to also disable NetBIOS on all the Windows pcs in their network control panel (under TCP/IP properties)?

With no netBIOS on the server or pc's then network browsing is not possible. Right?
So will this cause any problems?

0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 400 total points
Comment Utility
blokeman,

First, thank you for the kind words in-re the article on Samba & SMB2.

With regards to your issue, I think that there is a basic misunderstanding -- so permit me to slip back into professor mode for a moment, because I think many of your assumptions are incorrect.

Specifically, NetBIOS was not REPLACED by SMB, rather it was upgraded to (or evolved into) SMB.

The SMB protocol (that uses port 445) retains all of the same functionality as NetBIOS (except, perhaps, its connectionlessness and layer-2 protocol ambivalence) -- INCLUDING retaining the Microsoft "Browsing" functionality.

So disabling ports 137-139 and NetBIOS over TCP/IP will NOT accomplish your goal, if that goal is to preventing network browsing.

If I'm to assume that you want to disable network browsing on your LAN, there are 2 things to consider:
 1) There is a "browsing = [yes/no]" option for each share that can tell Samba NOT to allow browsing to that share, but I am not aware of any OTHER way to turn off computer browsing from the server.
 2) Unless you employ AD (that's a new article I'm writing -- deploying a Windows AD server as a XEN virtual machine in an otherwise all-Linux environment), you have no way of restricting Windows Clients from browsing - at least not while maintaining a way to access an SMB share.

OK -- Professor mode off --

Your original question is asking about optimizing Samba -- and particularly, dealing with long LAG times. Which is why I pointed to my article.

First: Using Samba 3.0 (or anything prior to 3.5) will get you access to SMB1, but not SMB2 protocols. Either will allow NetBIOS if you turn it on, but only Samba 3.5 and later supports SMB2 -- which is necessary for long-lag support.

Second: NetBIOS uses ports 137-139, SMB uses 445.
 - A connection using ports 137-139 is using NetBIOS -- on virtually any Windows or Linux system
 - A connection on port 445 is using SMB (either 1 or 2).
Thus, turn off your responses on Ports 137-139 (iptables in addition to smb.conf?) and you're not going to permit NetBIOS connections to that system.

Third: Lag times are a problem for both NetBIOS and SMB1 -- an attempted resolution is an SMB2 improvement
 - SMB2 is used in Windows Vista, 7, and Server 2008
 - SMB2 is used in Samba 3.5 and higher (including current beta versions of Samba 4)

Last: If you upgrade to Samba 3.5, your Windows 2000, XP, and Server 2003 systems will still be able to use SMB1, but your Vista, 7, & Server 2008 systems will also be able to use SMB2 -- there is no issue with supporting both on the same LAN.

So -
1) To enable better long-lag sensitivity and performance, upgrade to Samba 3.5
2) To eliminate the possibility of accidentally falling back to NetBIOS, disable ports 137-139 (actually the default for Samba 3.5 and up) -- but there is no way to prevent falling back from SMB2 to SMB1 -- they're on the same port & if they negotiate to SMB1 then so be it!
3) If you do NOT upgrade Samba to 3.5 or higher, your Windows Vista, 7, & Server 2008 systems will always negotiate to SMB1. Windows 7 and Server 2008 will not negotiate to NetBIOS unless you specifically allow it -- not in network connections, but in the registry!

I hope this answers your questions more clearly.

Dan
IT4SOHO
0
 

Author Comment

by:blokeman
Comment Utility
Thanks Dan.  You experience and knowledge on this is excellent.

So a Samba upgrade is on the cards for sure with ports = 445.

Dan, just one last query re your statement:
The SMB protocol (that uses port 445) retains all of the same functionality as NetBIOS [...] -- INCLUDING retaining the Microsoft "Browsing" functionality.
With NetBIOS, I did assume that it alone was responsible for enabling browsing, because of  the way that it allows broadcasts or the use of WINS servers to obtain a list of NetBIOS hosts on the network.  By this I mean the list of PCs and servers which can be viewed in Network Neighborhood from a Windows PC.  Yet since Win 2000, Netbios is not needed because of Active Directory (AD) and it's integrated DNS.  So without an AD  server, how do PCs in a samba (SMB2) network obtain a list of computers in their domain (and Network Neighborhood)?
0
 

Author Comment

by:blokeman
Comment Utility
Further to my last comment...Thinking a bit more, maybe in a SMB2 Samba 3.5+ network, this browse list functionality is all coming with Samba 4 and it's AD capabilities.  So for now, do Windows clients (on Samba SMB2) need to know the host name (as opposed to Network Neighborhood) to browse shared resources on that host?  For example by using \\hostname in Windows Explorer.
0
 
LVL 20

Assisted Solution

by:Daniel McAllister
Daniel McAllister earned 400 total points
Comment Utility
blokeman,

WINS and the network browser are still very much alive -- in fact, in SMB2 it's even more active (ever looked at the Windows 7 Home Network?)

Microsoft has a KB article that, from a reasonably high level, describes the evolution of the browser function.
http://support.microsoft.com/kb/188001

The ONLY real difference is that in SMB, instead of the browser service listening on port UDP 137 (the Name Resolution Port in NetBIOS), it listens on UDP Port 445 -- the same port it listens for data being transmitted.

You are correct that in AD, there is not the same need for a "browser" function -- but with AD (just as with PDCs in WinNT), the only real difference is that there isn't an "election" for a browser master -- the AD server (or the PDC) automatically wins the "election"! There is an AD command to list the other computers in the domain -- and its format isn't all that different from the NetBIOS query for the Master Browser to list it's "detected" systems!

I must admit I'm a bit confused... are you still trying to optimize samba (or SMB), or are you looking at a security concern?

Dan
IT4SOHO
0
 

Author Comment

by:blokeman
Comment Utility
No particular security issue in mind, I just want to optimising Samba for speed and browsing.  

As it looks like using port 445 (SMB2) will provide both speed improvements and browsing functionality, then that is the configuration I'll implement.  I will just read up a bit more on the WINS side of things and enable that on the server.

Thanks again!

0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Goal:  To set up a secure SSH server for your home computer to make it accessible anywhere AND to use it as a port forwarding proxy. Steps 1.  WinSSHD version 5 is free for personal use.  So download and install it.  You can download it from the…
Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now