Suggestions for LAN shares only

I’m trying to decide the best way to share my media drives on my Proxmox server (currently have Samaba set up with a password share) over my LAN only. Plex has its own path through firewall so I’m not concerned about sharing in any other way.
1.) Is samba the best protocal to share as I have a mixed network of machines between Linux flavors and Windows (I do have slow transfers from Linux distros to the server from time to time that are only 1/6th the full speed of the network)?
2.) Is it safe for me to add mac addresses or IP`s to a safe client list to limit access to only my machines and remove password requirements?
3.) If I create a separate vlan could that be isolated from access to the internet and that’s where I could freely share the drives?

While most of the data is harmless, some is very important and sensitive data. I would just like some input on a direction to go that makes sense and is the best way to organize these shares.

Thanks for taking the time to read this.

  1. Generally yes. If you’re not getting the performance you want, probably the samba configuration options chosen are wrong for what you need, or your hardware is not powerful enough to run samba with options you’ve chosen.

Samba runs on proxmox or in a VM?
What kind of hardware are you using?

  1. Any device on your ethernet or wifi network can choose to use any mac address or ip address. So, generally, no.

  2. Any device on any lan or VLAN you create will be isolated from the internet or from other devices by your router(s), and by any other device you connect then too. In general, it’s enough to drop traffic to tcp ports that samba uses via a firewall to prevent access to it. You might not be able to filter traffic like that over a dumb switch or a low end L2/L3 managed switch - having VLANs can allow you to force traffic through a firewall on your router that can do that kid of filtering.

This is my setup here on this website for the home server hardware. The one I am having trouble with speed of uploads only is my Asrock x300 desktop mini with a Ryzen 5 pro 4650G. With windows it uploads at full speed roughly 65 MBs, but in Linux on the same machine with dual boot it only uploads at roughly 16MBs. I can download with either OS from server at 100 to 110Mbs.

Samba is running directly on proxmox. I used a guide from here to set it up. I think I quoted it in my build log.

Smells like Samba settings, possibly something around aio, protocol versions, and caching/write buffering. I think either configuration is wrong somehow or proxmox ships with a samba server with such default options compiled in that end up choking the performance.

Samba usually ships with a utility called testparm, which can read the config and dump it as smbd would be interpreting it, including all the parameters that smb.conf doesn’t set and that would be baked in defaults.

Could you run testparm -v /etc/samba/smb.conf … and share it here - making sure to sanitize the path/share/usernames if they’re personally identifiable, and use the details bbcode tags or one of the pastebins to share it in a forum friendly way.

That way we can all compare the config with the manual together.

1 Like

Here are the results from testparm -v on the Proxmox Samba Server

sudo testparm -v 
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Loaded services file OK.

Press enter to see a dump of your service definitions

# Global parameters
	abort shutdown script = 
	add group script = 
	add machine script = 
	addport command = 
	addprinter command = 
	add share command = 
	add user script = 
	add user to group script = 
	afs token lifetime = 604800
	afs username map = 
	aio max threads = 100
	algorithmic rid base = 1000
	allow dcerpc auth level connect = No
	allow dns updates = secure only
	allow insecure wide links = No
	allow nt4 crypto = No
	allow trusted domains = Yes
	allow unsafe cluster upgrade = No
	apply group policies = No
	async smb echo handler = No
	auth event notification = No
	auto services = 
	binddns dir = /var/lib/samba/bind-dns
	bind interfaces only = No
	browse list = Yes
	cache directory = /var/cache/samba
	change notify = Yes
	change share command = 
	check password script = 
	cldap port = 389
	client ipc max protocol = default
	client ipc min protocol = default
	client ipc signing = default
	client lanman auth = No
	client ldap sasl wrapping = sign
	client max protocol = default
	client min protocol = CORE
	client NTLMv2 auth = Yes
	client plaintext auth = No
	client schannel = Yes
	client signing = default
	client use spnego principal = No
	client use spnego = Yes
	cluster addresses = 
	clustering = No
	config backend = file
	config file = 
	create krb5 conf = Yes
	ctdbd socket = 
	ctdb locktime warn threshold = 0
	ctdb timeout = 0
	cups connection timeout = 30
	cups encrypt = No
	cups server = 
	dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
	deadtime = 0
	debug class = No
	debug hires timestamp = Yes
	debug pid = No
	debug prefix timestamp = No
	debug uid = No
	dedicated keytab file = 
	default service = 
	defer sharing violations = Yes
	delete group script = 
	deleteprinter command = 
	delete share command = 
	delete user from group script = 
	delete user script = 
	dgram port = 138
	disable netbios = No
	disable spoolss = No
	dns forwarder = 
	dns proxy = Yes
	dns update command = /usr/sbin/samba_dnsupdate
	dns zone scavenging = No
	domain logons = No
	domain master = Auto
	dos charset = CP850
	dsdb event notification = No
	dsdb group change notification = No
	dsdb password event notification = No
	enable asu support = No
	enable core files = Yes
	enable privileges = Yes
	encrypt passwords = Yes
	enhanced browsing = Yes
	enumports command = 
	eventlog list = 
	get quota command = 
	getwd cache = Yes
	gpo update command = /usr/sbin/samba-gpupdate
	guest account = nobody
	homedir map = auto.home
	host msdfs = Yes
	hostname lookups = No
	idmap backend = tdb
	idmap cache time = 604800
	idmap gid = 
	idmap negative cache time = 120
	idmap uid = 
	include system krb5 conf = Yes
	init logon delay = 100
	init logon delayed hosts = 
	interfaces = 
	iprint server = 
	keepalive = 300
	kerberos encryption types = all
	kerberos method = default
	kernel change notify = Yes
	kpasswd port = 464
	krb5 port = 88
	lanman auth = No
	large readwrite = Yes
	ldap admin dn = 
	ldap connection timeout = 2
	ldap debug level = 0
	ldap debug threshold = 10
	ldap delete dn = No
	ldap deref = auto
	ldap follow referral = Auto
	ldap group suffix = 
	ldap idmap suffix = 
	ldap machine suffix = 
	ldap page size = 1000
	ldap passwd sync = no
	ldap replication sleep = 1000
	ldap server require strong auth = Yes
	ldap ssl = start tls
	ldap ssl ads = No
	ldap suffix = 
	ldap timeout = 15
	ldap user suffix = 
	lm announce = Auto
	lm interval = 60
	load printers = Yes
	local master = Yes
	lock directory = /var/run/samba
	lock spin time = 200
	log file = /var/log/samba/log.%m
	logging = file
	log level = 2
	log nt token command = 
	logon drive = 
	logon home = \\%N\%U
	logon path = \\%N\%U\profile
	logon script = 
	log writeable files on exit = No
	lpq cache time = 30
	lsa over netlogon = No
	machine password timeout = 604800
	mangle prefix = 1
	mangling method = hash2
	map to guest = Bad User
	max disk size = 0
	max log size = 1000
	max mux = 50
	max open files = 16384
	max smbd processes = 0
	max stat cache size = 256
	max ttl = 259200
	max wins ttl = 518400
	max xmit = 16644
	mdns name = netbios
	message command = 
	min receivefile size = 0
	min wins ttl = 21600
	mit kdc command = 
	multicast dns register = Yes
	name cache timeout = 660
	name resolve order = lmhosts wins host bcast
	nbt client socket address =
	nbt port = 137
	ncalrpc dir = /var/run/samba/ncalrpc
	netbios aliases = 
	netbios name = 
	netbios scope = 
	neutralize nt4 emulation = No
	NIS homedir = No
	nmbd bind explicit broadcast = Yes
	nsupdate command = /usr/bin/nsupdate -g
	ntlm auth = ntlmv2-only
	nt pipe support = Yes
	ntp signd socket directory = /var/lib/samba/ntp_signd
	nt status support = Yes
	null passwords = No
	obey pam restrictions = Yes
	old password allowed period = 60
	oplock break wait time = 0
	os2 driver map = 
	os level = 20
	pam password change = Yes
	panic action = /usr/share/samba/panic-action %d
	passdb backend = tdbsam
	passdb expand explicit = No
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd chat debug = No
	passwd chat timeout = 2
	passwd program = /usr/bin/passwd %u
	password hash gpg key ids = 
	password hash userPassword schemes = 
	password server = *
	perfcount module = 
	pid directory = /var/run/samba
	preferred master = Auto
	prefork children = 1
	preload modules = 
	printcap cache time = 750
	printcap name = 
	private dir = /var/lib/samba/private
	raw NTLMv2 auth = No
	read raw = Yes
	realm = 
	registry shares = No
	reject md5 clients = No
	reject md5 servers = No
	remote announce = 
	remote browse sync = 
	rename user script = 
	require strong key = Yes
	reset on zero vc = No
	restrict anonymous = 0
	rndc command = /usr/sbin/rndc
	root directory = 
	rpc big endian = No
	rpc server dynamic port range = 49152-65535
	rpc server port = 0
	samba kcc command = /usr/sbin/samba_kcc
	security = AUTO
	server max protocol = SMB3
	server min protocol = LANMAN1
	server multi channel support = No
	server role = standalone server
	server schannel = Yes
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns
	server signing = default
	server string = Samba 4.9.5-Debian
	set primary group script = 
	set quota command = 
	share backend = classic
	show add printer wizard = Yes
	shutdown script = 
	smb2 leases = Yes
	smb2 max credits = 8192
	smb2 max read = 8388608
	smb2 max trans = 8388608
	smb2 max write = 8388608
	smbd profiling level = off
	smb passwd file = /etc/samba/smbpasswd
	smb ports = 445 139
	socket options = TCP_NODELAY
	spn update command = /usr/sbin/samba_spnupdate
	stat cache = Yes
	state directory = /var/lib/samba
	svcctl list = 
	syslog = 1
	syslog only = No
	template homedir = /home/%D/%U
	template shell = /bin/false
	time server = No
	timestamp logs = Yes
	tls cafile = tls/ca.pem
	tls certfile = tls/cert.pem
	tls crlfile = 
	tls dh params file = 
	tls enabled = Yes
	tls keyfile = tls/key.pem
	tls priority = NORMAL:-VERS-SSL3.0
	tls verify peer = as_strict_as_possible
	unicode = Yes
	unix charset = UTF-8
	unix extensions = Yes
	unix password sync = Yes
	use mmap = Yes
	username level = 0
	username map = 
	username map cache time = 0
	username map script = 
	usershare allow guests = Yes
	usershare max shares = 100
	usershare owner only = Yes
	usershare path = /var/lib/samba/usershares
	usershare prefix allow list = 
	usershare prefix deny list = 
	usershare template share = 
	utmp = No
	utmp directory = 
	web port = 901
	winbind cache time = 300
	winbindd socket directory = /var/run/samba/winbindd
	winbind enum groups = No
	winbind enum users = No
	winbind expand groups = 0
	winbind max clients = 200
	winbind max domain connections = 1
	winbind nested groups = Yes
	winbind normalize names = No
	winbind nss info = template
	winbind offline logon = No
	winbind reconnect delay = 30
	winbind refresh tickets = No
	winbind request timeout = 60
	winbind rpc only = No
	winbind scan trusted domains = Yes
	winbind sealed pipes = Yes
	winbind separator = \
	winbind use default domain = No
	wins hook = 
	wins proxy = No
	wins server = 
	wins support = No
	workgroup = 
	write raw = Yes
	wtmp directory = 
	idmap config * : backend = tdb
	access based share enum = No
	acl allow execute always = No
	acl check permissions = Yes
	acl group control = No
	acl map full control = Yes
	administrative share = No
	admin users = 
	afs share = No
	aio read size = 1
	aio write behind = 
	aio write size = 1
	allocation roundup size = 1048576
	available = Yes
	blocking locks = Yes
	block size = 1024
	browseable = Yes
	case sensitive = Auto
	check parent directory delete on close = No
	comment = 
	copy = 
	create mask = 0744
	csc policy = manual
	cups options = 
	default case = lower
	default devmode = Yes
	delete readonly = No
	delete veto files = No
	dfree cache time = 0
	dfree command = 
	directory mask = 0755
	directory name cache size = 100
	dmapi support = No
	dont descend = 
	dos filemode = No
	dos filetime resolution = No
	dos filetimes = Yes
	durable handles = Yes
	ea support = Yes
	fake directory create times = No
	fake oplocks = No
	follow symlinks = Yes
	force create mode = 0000
	force directory mode = 0000
	force group = 
	force printername = No
	force unknown acl user = No
	force user = 
	fstype = NTFS
	guest ok = No
	guest only = No
	hide dot files = Yes
	hide files = 
	hide special files = No
	hide unreadable = No
	hide unwriteable files = No
	hosts allow = 
	hosts deny = 
	include = 
	inherit acls = No
	inherit owner = no
	inherit permissions = No
	invalid users = 
	kernel oplocks = No
	kernel share modes = Yes
	level2 oplocks = Yes
	locking = Yes
	lppause command = 
	lpq command = %p
	lpresume command = 
	lprm command = 
	magic output = 
	magic script = 
	mangled names = yes
	mangling char = ~
	map acl inherit = No
	map archive = Yes
	map hidden = No
	map readonly = no
	map system = No
	max connections = 0
	max print jobs = 1000
	max reported print jobs = 0
	min print space = 0
	msdfs proxy = 
	msdfs root = No
	msdfs shuffle referrals = No
	nt acl support = Yes
	ntvfs handler = unixuid, default
	oplocks = Yes
	path = 
	posix locking = Yes
	postexec = 
	preexec = 
	preexec close = No
	preserve case = Yes
	printable = No
	print command = 
	printer name = 
	printing = cups
	printjob username = %U
	print notify backchannel = No
	queuepause command = 
	queueresume command = 
	read list = 
	read only = Yes
	root postexec = 
	root preexec = 
	root preexec close = No
	short preserve case = Yes
	smb encrypt = default
	spotlight = No
	store dos attributes = Yes
	strict allocate = No
	strict locking = Auto
	strict rename = No
	strict sync = Yes
	sync always = No
	use client driver = No
	use sendfile = No
	valid users = 
	veto files = 
	veto oplock files = 
	vfs objects = 
	volume = 
	wide links = No
	write cache size = 0
	write list =

One thing that stands out was the minimum protocol now that I’m readin through the text…but I’m still learning so not sure if it matters.

Also, hope I sanitized enough data lol

Try toggling as a test

Enlarge to at least 4K, shouldn’t matter but you never know.

Make this SMB3 or SMB2(15 years old).

Enable, it doesn’t hurt.

You could test with no just for fun.

It’s possible that tcp buffers might need tuning to allow the kernel to buffer more data in the tcp socket for samba, between samba waking up and reading it, if you haven’t already make tcp.rmem_max to at least 1MiB - on a gigabit network this gives 10ms worth of time for samba to do other things while network data trickles in.

Iperf3 doesn’t have as much to do - it might be fine with smaller buffers whereas samba might need more

Check iostat -x or atop , they’ll report the per operation delay and throughput of your disks. You should see numbers that indicate parallelism, e.g. some idle time, 1-2ms per write, 1000+ writes per second

1 Like
aio write behind =
block size = 4096
server min protocol = SMB3
use sendfile = True
strict sync = No

strict allocate = Yes
read raw = Yes
write raw = Yes
server signing = No
strict locking = No
#min receivefile size = 16384
#aio read size = 16384
#aio write size = 16384

Here is what I have been playing with for settings. When I enable the line for “min received file size” my uplaod speed from Ubuntu to the Proxmox server cuts in half to 6 MiB/s from 16 MiB’s. I am getting good reads on my disk array (RAID 10) 7200RPM drives, and I/O delay is almost 0 to 1.2 the whole transfer. Its not a huge issue, but I’d like to find out why. Is there a possibility I need to change something with the client system (Ubuntu), because windows is working fine?