Very slow SMB speeds on macOS

Since I recently got a new Mac Pro (running Catalina 10.15.2), I connected it using 10 GBit Ethernet to my Debian 10 / Proxmox server.

When connecting to a share however, I am only getting 150-300 MB/s read/write performance.

Here's my current smb.conf:

[global]         
    netbios name = server         
    realm = MY.DOMAIN         
    security = ADS
    workgroup = MYDOMAIN

    wins server = my.domain.test

    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind refresh tickets = Yes
    winbind nested groups = No


    idmap config MYDOMAIN:backend = ad
    idmap config MYDOMAIN:schema_mode = rfc2307
    idmap config MYDOMAIN:range = 10000-20000

    log file = /var/log/samba/log.%m
    log level = 1 
    printcap name = /etc/printcap
    load printers = no
    username map = etc/samba/user.map
    vfs objects = recycle acl_xattr catia fruit streams_xattr
    map acl inherit = yes
    store dos attributes = yes   
    oplocks = no

    # Enable the recycle bin
    recycle:repository = /tank/storage/.recycle/%U
    recycle:touch = Yes
    recycle:keeptree = Yes
    recycle:versions = Yes
    recycle:noversions = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
    recycle:exclude = *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP
    recycle:excludedir = /recycle,/tmp,/temp,/TMP,/TEMP

    # Apple
    fruit:aapl = yes
    fruit:encoding = native
    fruit:locking = none
    fruit:metadata = stream
    fruit:resource = file


[share1]         
    path = /tank/share1
    read only = no       
    valid users = @"MYDOMAIN\share1-Access"
[share2]
    path = /tank/share2
    read only = no
    valid users = @"MYDOMAIN\share2-Access"
[timemachine]
    path = /tank/timemachine
    read only = no
    valid users = @"MYDOMAIN\timemachine-Access"
    oplocks = no
    fruit:aapl = yes
    fruit:time machine = yes
[downloads]
    path = /tank/downloads
    read only = no
    valid users = @"MYDOMAIN\downloads-Acccess"
[cloud-backup]
    path = /tank/cloud-backup
    read only = no
    writeable = yes
    valid users = @"MYDOMAIN\cloud-backup-Access"

SMB sucks terribly on Macs, and always did. My advice: don't sweat it and simply install netatalk; you'll get 1GB/s without any trouble. Or use NFS, it will also hit 1GB/s without any problem. However Netatalk is the safest bet, some applications may behave strangely through NFS. Plus Netatalk behaves consistently like Samba for authentication, file permissions, etc.

I've even compared performance using "Hackintoshes": the same machine running Windows hits 900MB/s through SMB, but 250 MB/s running as a Mac; but it goes up to 1GB/s through Appleshare.

The implementation of SMB3 on macOS Big Sur and later has multichannel support (see this article). This helps improve performance quite a bit; however, prior to Samba 4.15, setting server multi channel support = Yes in your /etc/samba/smb.conf will result in panics each time a client with a mounted share reboots.

I have been using the following settings on my macOS clients (/etc/nsmb.conf) for a while:

signing_required = no
protocol_vers_map=6
port445=no_netbios

I also disable a lot in Samba that I don't need:

[global]
allow dns updates = disabled
client min protocol = SMB3_11
dcerpc endpoint servers = rpcecho
delete veto files = Yes
disable netbios = Yes
disable spoolss = Yes
dns forwarder = 192.168.1.1
dns proxy = No
enhanced browsing = No
# Next line requires catia (needed if no Windows clients?)
fruit:encoding = native
fruit:metadata = stream
# Do not use NFS access control entries
fruit:nfs_aces = No
# Enable extended attributes (requires streams_xattr)
fruit:resource = xattr
# Next line is already the default
;fruit:zero_file_id = Yes
host msdfs = No
inherit acls = Yes
inherit permissions = Yes
lm announce = No
load printers = No
log file = /var/log/samba/log.smbd
log level = 1
logging = file
max log size = 10000
# Next 2 lines defer mDNS config to Avahi (better for icon and Time Machine)
mdns name = mdns
multicast dns register = No
name resolve order = host bcast
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = "*New Password:*" %n\n "*Reenter New Password:*" %n\n "*Password changed.*"
passwd program = /usr/bin/passwd %u
printcap cache time = 0
printcap name = /dev/null
printable = No
printing = bsd
restrict anonymous = 2
rpc_daemon:spoolssd = disabled
rpc_server:epmapper = disabled
rpc_server:winreg = disabled
rpc_server:lsarpc = disabled
rpc_server:samr = disabled
rpc_server:netlogon = disabled
rpc_server:netdfs = disabled
rpc_server:dssetup = disabled
rpc_server:wkssvc = disabled
rpc_server:spoolss = disabled
rpc_server:svcctl = disabled
rpc_server:ntsvcs = disabled
rpc_server:eventlog = disabled
rpc_server:initshutdown = disabled
rpc_server:mdssvc = disabled
server max protocol = SMB3_11
server min protocol = SMB3_11
# Next line experimental until 4.15 - macOS clients support multi-channel SMB3
;server multi channel support = Yes
server role = standalone server
server services = rpc, smb
server string = %h server (Samba 4.13.14, Ubuntu 21.10)
show add printer wizard = No
smb ports = 445
unix password sync = Yes
use sendfile = Yes
veto files = /._*/.DS_Store/
vfs objects = catia fruit streams_xattr

[homes]
browseable = No
comment = Home Directory
fruit:time machine = No
guest ok = No
spotlight = No
valid users = %S
writable = Yes

[Backup]
comment = Time Machine
fruit:time machine = Yes
guest ok = No
path = /external/%U
spotlight = No
valid users = %U
writable = Yes

In the future, I plan to re-enable server multi channel support. Didn't feel like installing all the dependencies needed in order to compile Samba 4.15 from source.

BTW, I found this article to be interesting if you are using ZFS (as I suspect based on the directory names starting with tank/).