Solved

What is the most optimal samba config for speed and browsing?

Posted on 2011-02-14
9
1,263 Views
Last Modified: 2013-12-02
I've read some experts advise (IT4SOHO at EE included) that mention if you have a samba network with Win 2000 clients or later then you can use this in your smb.conf file.
smb ports = 445
Apparently this is more efficient (faster?) because the packets don't have the NetBIOS encapsulation overhead, and has helped some people minimise lag when accessing network shares.  Though some users reported setting smb ports to 139 helped too.

?Confused?
HERE IS MY SCENARIO
A single samba server (samba-3.0.36-0.5.5) environment which is a dns server as well, 2 x Win XP Pro, 2 x Vista and 2 x Win 7 Pro pc's....what is the most optimal setup for speed.
Is it recommended to disable netbios on all the pc's?
Should I bother with a WINS server (wins support = yes in smb.conf) at all?
If the server has an entry in dns then all the pc's can still access by name right, so why bother with WINS?
For performance, set smb ports = 445 in smb.conf. Right?

If I did have WINS turned on at the samba server, then to populate the WINS database, netbios needs to be enabled and all pc's pointed to it.  But in this case can I still use "smb ports = 445", or will that break browsing?



0
Comment
Question by:blokeman
  • 5
  • 3
9 Comments
 
LVL 14

Assisted Solution

by:pablouruguay
pablouruguay earned 100 total points
ID: 34950780
disable netbios maybe increment the speed but really a LIttle increment.
Disable Wins

Here you have 2 links refer that.

https://calomel.org/samba_optimize.html 

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/speed.html
0
 

Author Comment

by:blokeman
ID: 34966747
Those links are pretty good, but none of them mention ports = 445.

So maybe the best way so far is to disable NetBIOS (and browsing), and use 'ports' on the server
In smb.conf:
disable netbios = yes
# we do not need netbios broadcasts for the windows shares so we can disable it. Our clients will be
# told where the share is located. Clients that only support netbios won't be able to see your samba
# server when netbios support is disabled.
ports = 445

and then also disable Netbios (and lmhosts lookup) on the Win pc's as well.  So then the only way they can resolve names is by DNS.

I suppose if netbios is disabled on Windows pc's then the netbios nodetype becomes irrelevant as well.

Anyone else with specific thoughts on the merit of using
ports 445

0
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 34972505
Please read the article:

http://www.experts-exchange.com/A_3545.html

which explains some SAMBA settings to improve performance for Windows Vista/7 environments.

Dan
IT4SOHO
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:blokeman
ID: 34976832
Hi Dan
I had read that fantastic article previously.  You are a very concise and articulate writer!
I've now read it again, and have a question...

TURNING OFF THE OLD NETBIOS PORTS.
Is this best achieved just at the server with :
ports = 445
disable netbios = ye
s  <--- Is this even necessary if already using ports = 445?
Is it recommended to also disable NetBIOS on all the Windows pcs in their network control panel (under TCP/IP properties)?

With no netBIOS on the server or pc's then network browsing is not possible. Right?
So will this cause any problems?

0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 400 total points
ID: 34987534
blokeman,

First, thank you for the kind words in-re the article on Samba & SMB2.

With regards to your issue, I think that there is a basic misunderstanding -- so permit me to slip back into professor mode for a moment, because I think many of your assumptions are incorrect.

Specifically, NetBIOS was not REPLACED by SMB, rather it was upgraded to (or evolved into) SMB.

The SMB protocol (that uses port 445) retains all of the same functionality as NetBIOS (except, perhaps, its connectionlessness and layer-2 protocol ambivalence) -- INCLUDING retaining the Microsoft "Browsing" functionality.

So disabling ports 137-139 and NetBIOS over TCP/IP will NOT accomplish your goal, if that goal is to preventing network browsing.

If I'm to assume that you want to disable network browsing on your LAN, there are 2 things to consider:
 1) There is a "browsing = [yes/no]" option for each share that can tell Samba NOT to allow browsing to that share, but I am not aware of any OTHER way to turn off computer browsing from the server.
 2) Unless you employ AD (that's a new article I'm writing -- deploying a Windows AD server as a XEN virtual machine in an otherwise all-Linux environment), you have no way of restricting Windows Clients from browsing - at least not while maintaining a way to access an SMB share.

OK -- Professor mode off --

Your original question is asking about optimizing Samba -- and particularly, dealing with long LAG times. Which is why I pointed to my article.

First: Using Samba 3.0 (or anything prior to 3.5) will get you access to SMB1, but not SMB2 protocols. Either will allow NetBIOS if you turn it on, but only Samba 3.5 and later supports SMB2 -- which is necessary for long-lag support.

Second: NetBIOS uses ports 137-139, SMB uses 445.
 - A connection using ports 137-139 is using NetBIOS -- on virtually any Windows or Linux system
 - A connection on port 445 is using SMB (either 1 or 2).
Thus, turn off your responses on Ports 137-139 (iptables in addition to smb.conf?) and you're not going to permit NetBIOS connections to that system.

Third: Lag times are a problem for both NetBIOS and SMB1 -- an attempted resolution is an SMB2 improvement
 - SMB2 is used in Windows Vista, 7, and Server 2008
 - SMB2 is used in Samba 3.5 and higher (including current beta versions of Samba 4)

Last: If you upgrade to Samba 3.5, your Windows 2000, XP, and Server 2003 systems will still be able to use SMB1, but your Vista, 7, & Server 2008 systems will also be able to use SMB2 -- there is no issue with supporting both on the same LAN.

So -
1) To enable better long-lag sensitivity and performance, upgrade to Samba 3.5
2) To eliminate the possibility of accidentally falling back to NetBIOS, disable ports 137-139 (actually the default for Samba 3.5 and up) -- but there is no way to prevent falling back from SMB2 to SMB1 -- they're on the same port & if they negotiate to SMB1 then so be it!
3) If you do NOT upgrade Samba to 3.5 or higher, your Windows Vista, 7, & Server 2008 systems will always negotiate to SMB1. Windows 7 and Server 2008 will not negotiate to NetBIOS unless you specifically allow it -- not in network connections, but in the registry!

I hope this answers your questions more clearly.

Dan
IT4SOHO
0
 

Author Comment

by:blokeman
ID: 34993900
Thanks Dan.  You experience and knowledge on this is excellent.

So a Samba upgrade is on the cards for sure with ports = 445.

Dan, just one last query re your statement:
The SMB protocol (that uses port 445) retains all of the same functionality as NetBIOS [...] -- INCLUDING retaining the Microsoft "Browsing" functionality.
With NetBIOS, I did assume that it alone was responsible for enabling browsing, because of  the way that it allows broadcasts or the use of WINS servers to obtain a list of NetBIOS hosts on the network.  By this I mean the list of PCs and servers which can be viewed in Network Neighborhood from a Windows PC.  Yet since Win 2000, Netbios is not needed because of Active Directory (AD) and it's integrated DNS.  So without an AD  server, how do PCs in a samba (SMB2) network obtain a list of computers in their domain (and Network Neighborhood)?
0
 

Author Comment

by:blokeman
ID: 34993965
Further to my last comment...Thinking a bit more, maybe in a SMB2 Samba 3.5+ network, this browse list functionality is all coming with Samba 4 and it's AD capabilities.  So for now, do Windows clients (on Samba SMB2) need to know the host name (as opposed to Network Neighborhood) to browse shared resources on that host?  For example by using \\hostname in Windows Explorer.
0
 
LVL 20

Assisted Solution

by:Daniel McAllister
Daniel McAllister earned 400 total points
ID: 34994596
blokeman,

WINS and the network browser are still very much alive -- in fact, in SMB2 it's even more active (ever looked at the Windows 7 Home Network?)

Microsoft has a KB article that, from a reasonably high level, describes the evolution of the browser function.
http://support.microsoft.com/kb/188001

The ONLY real difference is that in SMB, instead of the browser service listening on port UDP 137 (the Name Resolution Port in NetBIOS), it listens on UDP Port 445 -- the same port it listens for data being transmitted.

You are correct that in AD, there is not the same need for a "browser" function -- but with AD (just as with PDCs in WinNT), the only real difference is that there isn't an "election" for a browser master -- the AD server (or the PDC) automatically wins the "election"! There is an AD command to list the other computers in the domain -- and its format isn't all that different from the NetBIOS query for the Master Browser to list it's "detected" systems!

I must admit I'm a bit confused... are you still trying to optimize samba (or SMB), or are you looking at a security concern?

Dan
IT4SOHO
0
 

Author Comment

by:blokeman
ID: 34994801
No particular security issue in mind, I just want to optimising Samba for speed and browsing.  

As it looks like using port 445 (SMB2) will provide both speed improvements and browsing functionality, then that is the configuration I'll implement.  I will just read up a bit more on the WINS side of things and enable that on the server.

Thanks again!

0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Samba is the de-facto standard program (or, more correctly: suite of programs) that UNIX and Linux systems use to share files with Microsoft Windows (and more recently, Mac OS-X) systems. Currently, there are 2 common versions of Samba available,…
Have you ever stumbled upon a software that is so great that you just love? It happened to me. Love at first sight. Filezilla Server.   Ok its not the most advanced ftp server I've came across. But its a fairly simple piece of software to get the …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question